Impact of a cluster lock down ?

Badge +7
Hi guys.

There are not much details on the impact of a cluster lock down on Nutanix. Documentation explains how to achieve this, by disabling remote password logging and deleting all public keys. However, nothing what is then no more possible to achieve.

As I understand, please correct me if I'm wrong (and confirm if I'm right), is that cluster communication is not made through SSH, neither is configuration from the Web Console. Therefore, locking down the cluster just prevents to login through SSH, and hence disallow usage of allssh commands for example. In that case, the only way to manage the cluster is to access it from Prism. Is all this correct ? Anything other impact ?

2 replies

Badge +7
Hi guys,

Any chance to have an input on this ? Would appreciate the help.
Badge +4
Hi Gandahar,

Apologies for the dealy. US holidays.

Cluster Lockdown disables the ability to login via SSH by password-challenge. However, you can add your public ssh-key via Prism and still login via SSH by using your ssh key. This adds a layer of non-repuditation to the connection, since the key used to access the emergency account on the shell is logged (tied to you). Adds a layer of cryptographic exchange to the connection instead of just a source IP.

All CVMs have a set of ssh-keys that are generated at installation, so all CVMs in a cluster can still communicate with each other using keys, and you can ssh between them using keys once you gain access (see above for adding your public key pair in Prism).