sysconf ssh client add
Register an SSH client.
NOTE This command is available using Luna Appliance Software 7.7.1 and newer.
This command limits access to the HSM via SSH, by applying an allowlist of clients for a user. New IP addresses (comma-delimited if more than one) are added to the existing list, or a list is created.
NOTE For multiple IP address entry, surround the list with quotation marks and separate list members with comma delimiters. Spaces are optional for readability, and are ignored.
If the list already includes an IP address that is being added, that address is ignored and any new ones are added to the list.
Invalid entries are flagged and the command exits.
User Privileges
Users with the following privileges can perform this command:
>Admin
>Operator
Syntax
sysconf ssh client add -userId <username> -host <multipleipaddresses> -force
| Argument(s) | Shortcut | Description |
|---|---|---|
| -host <multipleipaddresses> | -h | SSH client IP(s) to register. Use ',' as a delimiter. |
| -userId <username> | -u | User Name |
| -force | -f | Force the action with no prompting. |
Example with single new IP address
lunash:>sysconf ssh client list
User ID Client Access status
---------------------------------------------
audit All clients
admin All clients
monitor All clients
operator All clients
Alice All clients
Command Result : 0 (Success)
lunash:>sysconf ssh client list add -userId Alice -h 10.124.79.145
Alice will forfeit ssh access from any hosts not
configured with this Luna Network HSM.
If you are sure that you wish to proceed, then type 'proceed',
otherwise type 'quit'
> proceed
Proceeding...
INFO: Restarting sshd service is recommended to apply updated
ssh access configuration.
Command Result : 0 (Success)
lunash:>sysconf ssh client list
User ID Client Access status
---------------------------------------------
audit All clients
admin All clients
monitor All clients
operator All clients
Alice 10.124.79.145
Command Result : 0 (Success)
lunash:>
User ID "Alice" existed in the list (was registered) and that user ID could be accessed on the appliance from any host. The command in the example adds a single host IP that now becomes the only IP from which that user ID can be accessed on this appliance via SSH. The other user IDs in the list (audit, admin, monitor, and operator) remain wide open and can be accessed via SSH from any host IP, unless you have imposed other restrictions in your network configuration, external to the Luna Network HSM 7 appliance.
Example with multiple new IP addresses
lunash:>sysconf ssh client list
User ID Client Access status
---------------------------------------------
audit All clients
admin All clients
monitor All clients
operator All clients
Alice 10.124.79.145
Command Result : 0 (Success)
lunash:>sysconf ssh client add -userId Alice -host "10.124.145.18, 10.124.145.19, 10.124.145.20"
Alice will forfeit ssh access from any hosts not
configured with this Luna Network HSM.
If you are sure that you wish to proceed, then type 'proceed',
otherwise type 'quit'
> proceed
Proceeding...
INFO: Restarting sshd service is recommended to apply updated
ssh access configuration.
Command Result : 0 (Success)
lunash:>sysconf ssh client list
User ID Client Access status
---------------------------------------------
audit All clients
admin All clients
monitor All clients
operator All clients
Alice 10.124.79.145 10.124.145.18 10.124.145.19 10.124.145.20
Command Result : 0 (Success)
User ID "Alice" existed in the list (was registered) and that client could access the appliance from just a single host IP. The command in the example adds more host IPs such that the original host as well as three new ones become the only host IPs from which that client can access this appliance via SSH. The host IPs listed in the command happened to include the pre-existing one. That was not necessary to retain the pre-existing host IP, but also does not conflict. The other user IDs in the list remain wide open and can be accessed via SSH from any host IP, unless you have imposed other restrictions in your network configuration, external to the Luna Network HSM 7 appliance.
Example with multiple new IP addresses with extra spaces
lunash:>sysconf ssh client list
User ID Client Access status
---------------------------------------------
audit All clients
admin All clients
monitor All clients
operator All clients
Alice 10.124.79.145 10.124.145.18 10.124.145.19 10.124.145.20
Command Result : 0 (Success)
lunash:>sysconf ssh client add -userId Alice -host " 10.124.145.21, 10.124.145.22 , 10.124.145.23 "
Alice will forfeit ssh access from any hosts not
configured with this Luna Network HSM.
If you are sure that you wish to proceed, then type 'proceed',
otherwise type 'quit'
> proceed
Proceeding...
INFO: Restarting sshd service is recommended to apply updated
ssh access configuration.
Command Result : 0 (Success)
lunash:>sysconf ssh client list
User ID Client Access status
---------------------------------------------
audit All clients
admin All clients
monitor All clients
operator All clients
Alice 10.124.79.145 10.124.145.18 10.124.145.19 10.124.145.20 10.124.145.21 10.124.145.22 10.124.145.23
Command Result : 0 (Success)
User ID "Alice" existed in the list (was registered) and that client could access the appliance from any of four registered host IPs, but no other host IP could connect over SSH for that client user ID. The command in the example adds a three more host IPs that expand the list to seven host IPs from which that client can access this appliance via SSH. The existing host IPs are retained; it was not necessary to specify them again, when adding new ones. If they had been included, they would have been ignored. The quotation marks enclosing the full list of new host IPs are optional, the commas that separate the IPs being added are required, but the spaces are ignored. The other user IDs in the list remain wide open and can be accessed via SSH from any host IP, unless you have imposed other restrictions in your network configuration, external to the Luna Network HSM 7 appliance.
