Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Security Hardening in 7.2.51

This article relates to LoadMaster firmware version 7.2.51.

In LoadMaster firmware version 7.2.51, a number of changes were made to harden LoadMaster security. For details on some user-facing changes, refer to the sections below.

Regenerate SSH Host Keys

In LoadMaster firmware version 7.2.51, a new menu option was added in the console to regenerate SSH host keys (Local Administration > Regenerate SSH Host Keys).

Host keys are kept in sync on High Availability (HA) machines.

Note that in GEO Partnering mode, SSH host keys are not automatically synchronized, because GEO does not use a shared IP address and the information exchange between partners does not depend on SSH access.

Amazon Web Services (AWS) sets its own host key so the regenerate SSH host keys functionality is not available on AWS LoadMasters.

On Azure, there are two authentication mechanisms; password and SSH key. If you have chosen password authentication, it is possible to use the regenerate SSH host keys functionality in the LoadMaster. If you are using Azure SSH key authentication, the regenerate SSH host keys functionality in the LoadMaster is not available.

When you regenerate the LoadMaster's host key, the $HOME/.ssh/known_hosts on all current SSH clients must be updated with the new public key.

The SSH key on LoadMaster firmware versions prior to 7.2.51 is always the same. When you upgrade to 7.2.51 or downgrade from 7.2.51, the SSH key will change. After upgrading to 7.2.51, the key is regenerated and will stay the same on 7.2.51 and above until you regenerate it again.

Certificates Will Not Work After Downgrading from 7.2.51

Improvements have been made to the secure storage area on disk for SSL private keys. As a result of these improvements, certificates stored on LoadMaster Operating System (LMOS) 7.2.51 or later releases will not work after downgrading to an earlier version.

To work around this, create a backup of all SSL certificates before downgrading and then restore the certificates after downgrading (Certificates & Security > Backup/Restore Certs). If you forget to take the backup before downgrading: upgrade the firmware again, take the certificate backup, downgrade, and then restore the certificate backup.

For further details on SSL in general, refer to the Long Term Support (LTS) SSL Accelerated Services Feature Description document.