Setting and Clearing SSH Restrictions
Restrictions according to selected Ethernet device
Luna Network HSM 7 has two Ethernet devices, eth0 and eth1 that can be used for SSH connections. If your environment requires that SSH be restricted to one or the other, use the command sysconf ssh device eth0 or sysconf ssh device eth1.
To remove the restriction, use the command sysconf ssh device all.
Restrictions according to originating client host IP
If your situation requires that you restrict client access against a named appliance user ID, such that only specified host IP addresses are permitted to make SSH connections, then you can create an allowlist of acceptable host IPs for each user ID on your appliance.
Use the sysconf ssh client list command to see the connection permission status of :
>any of the default appliance user IDs, and
>any named user IDs that you have created on the appliance.
Use the sysconf ssh client add, sysconf ssh client delete, and sysconf ssh client clear commands to manage allowlists of host IPs permitted to make SSH connections to any or all of the appliance user IDs.
If a user ID has "All clients" beside it in the sysconf ssh client list output, then there are no restrictions (by the appliance) regarding which external client host IPs can make SSH connections to that user ID.
If a user ID has one-or-more IP addresses beside it in the sysconf ssh client list output, then no external client host IPs, other than those explicitly named, can make SSH connections to that user ID.
NOTE These commands do not have any awareness whether the provided host IP represents a valid Luna client. The command applies a general IP-based SSH access filtering. It is up to you to ensure that you are using a correct host IP address in each instance, such as you would have separately configured for NTLS or STC client connections - see Client-Partition Connections.
