Personal tools
You are here: Home Linux VMWare ESXi Enabling SSH with public key authentication on VMWare ESXi 4
 

Enabling SSH with public key authentication on VMWare ESXi 4

How-to enable SSH on a VMWare ESXi 4.0 host

VMWare has SSH support using the Dropbear SSH server. This server is not enabled in a default installation. Having SSH access to the VMware host can be useful for many administration tasks. The fud-miesters would tell you (which aren't necessarily false):

  • SSH isn't officially supported
  • SSH is a security issue

 

This how-to describes:

  • enabling SSH
  • enabling SSH public authentication for root (which can be replaced by user public key auth)
  • saving the SSH configuration so that it is persistent across system restarts
  • enabling SSH public key authentication for users
  • disabling password authentication
  • disabling root SSH logins

Configuration

Enabling SSH

This procedure is well documented on the net. It requires console access (either physical access, or via a remote management card). By default SSH access is disabled for both IPv4 and IPv6.

1. From the ESXi console:

VMWare ESXi 4.0 Console

 

  • press Alt+F1
  • Type: 'unsupported'
  • Enter the root password (Note: there is no prompt)

2.  From the command prompt, edit the inetd configuration file '/etc/inetd.conf' and uncomment the SSH server configuration directive:

ssh     stream  tcp     nowait  root    /sbin/dropbearmulti     dropbear  ++min=0,swap,group=shell -i -K60

3. Restart the inetd daemon:

# kill -HUP `ps | grep inetd | cut -f 2 -d \ `

Public key authentication for root

Once the SSH server is running, the root user can authenticate with a password. If the password is weak, then authorised access may be able to be obtained.

The root users home directory is the root of the filesystem (i.e. it is not '/root') - this can be verified by inspection of '/etc/passwd'. Create a directory '/.ssh' and add SSH public keys to '/.ssh/authorized_keys'.

Note: Some users have moved the root users home directory by editing the '/etc/passwd' file. So that processes don't unexpectedly start in the wrong directory, I haven't made this change. It may well work ok.

Save the SSH configuration

The most common way I have seen to save the SSH configuration is to use the '/bootbank/oem.tgz' archive. This file seems to be used for oem support on this IBM machine, so I didn't want to get in the way of this. So I have gone for an alternative scheme.

Add a new '/bootbank/home.tgz' archive with the contents of all home directories (both the root users home directory, and users home directories).

tar -C / -czf "/bootbank/home.tgz" /.ssh /home

Edit the '/bootbank/boot.cfg' file and add "--- home.tgz" to the end of the modules parameter:

cat boot.cfg
kernel=vmkboot.gz
kernelopt=
modules=vmk.gz --- sys.vgz --- cim.vgz --- oem.tgz --- license.tgz --- mod.tgz --- home.tgz
build=4.0.0-208167
updated=1
bootstate=0

Public key authentication for users

Users created in a vSphere client are created without a home directory, and no shell.

Create the users home directory, and .ssh directory. e.g. for the user bob

# mkdir -p /home/bob/.ssh

Add the users SSH public key to '/home/user/.ssh/authorized_keys'

I found that unlike OpenSSH, the Dropbear server doesn't complain if the 'authorized_keys' file isn't owned by the user. I also found that when the machine was rebooted, the files were restored with root as the owner, files mode 644, and directories mode 755.

Disabling password authentication

Use the Dropbear '-w' and '-s' options to disable root logins, and disable password logins. Change the '/etc/inetd.conf' to add these options.

ssh     stream  tcp     nowait  root    /sbin/dropbearmulti     dropbear  ++min=0,swap,group=shell -i -K60 -w -s

This information must be saved by the VMware host back to '/bootbank/local.tgz'. Restart the inetd daemon:

# kill -HUP `ps | grep inetd | cut -f 2 -d \ `

Note: the '-w' option didn't work for me; as root could still authenticate with a public key.

Links

ESXi v4.1

Appendices

Dropbear options

Dropbear sshd v0.52
Usage: ./dropbear [options]
Options are:
-b bannerfile   Display the contents of bannerfile before user login
                (default: none)
-d dsskeyfile   Use dsskeyfile for the dss host key
                (default: /etc/dropbear/dropbear_dss_host_key)
-r rsakeyfile   Use rsakeyfile for the rsa host key
                (default: /etc/dropbear/dropbear_rsa_host_key)
-F              Don't fork into background
-E              Log to stderr rather than syslog
-m              Don't display the motd on login
-w              Disallow root logins
-s              Disable password logins
-g              Disable password logins for root
-j              Disable local port forwarding
-k              Disable remote port forwarding
-a              Allow connections to forwarded ports from any host
-p [address:]port
                Listen on specified tcp port (and optionally address),
                up to 10 can be specified
                (default port is 22 if none specified)
-P PidFile      Create pid file PidFile
                (default /var/run/dropbear.pid)
-i              Start for inetd
-W <receive_window_buffer> (default 131072, larger may be faster, max 1MB)
-K <keepalive>  (0 is never, default 0)
-I <idle_timeout>  (0 is never, default 0)

 

/etc/inetd.conf

The following is the default settings for SSH on a VMware ESXi host:

# Remote shell access
#
#ssh    stream  tcp     nowait  root    /sbin/dropbearmulti     dropbear  ++min=0,swap,group=shell -i -K60
#ssh    stream  tcp6    nowait  root    /sbin/dropbearmulti     dropbear  ++min=0,swap,group=shell -i -K60
#telnet stream  tcp     nowait  root    /bin/busybox    telnetd ++min=0,swap,group=shell
#telnet stream  tcp6    nowait  root    /bin/busybox    telnetd ++min=0,swap,group=shellipkg.conf

 

/bootbank/oem.tgz

Note: '/bootbank' is a symlink to the same filesystem that '/vmfs/volumes/Hypervisor1' symlinks to.
/bootbank #  tar tzvvf oem.tgz
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 usr/lib/vmware/vmkmod/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 etc/vmware/init/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 etc/vmware/pciid/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 sbin/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 usr/lib/ext/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 lib/cim/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 etc/cim/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 var/lib/sfcb/registration/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 etc/vmware/
-rw-r--r-- 0/0       438 2009-11-12 02:55:53 etc/vmware/support
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 etc/vmware/init/
-rw-r--r-- 0/0       262 2009-11-12 02:55:53 etc/vmware/oem.xml
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 etc/vmware/pciid/
drwxr-xr-x 0/0         0 2009-11-17 02:49:32 etc/ipmi/
-rw-r--r-- 0/0       637 2009-11-17 02:49:32 pkgdb.tgz

/bootbank/local.tgz

/bootbank # tar tzvvf local.tgz
-rw------- 0/0       458 2010-05-06 10:57:25 etc/dropbear/dropbear_dss_host_key
-rw------- 0/0       426 2010-05-06 10:57:23 etc/dropbear/dropbear_rsa_host_key
-rw-r--r-- 0/0        51 2010-05-20 12:43:06 etc/sysconfig/network
-rw-r--r-T 0/0      1721 2010-05-19 18:42:41 etc/vmware/hostd/authorization.xml
-rw-r--r-T 0/0       199 2010-05-22 07:04:48 etc/vmware/hostd/hostsvc.xml
-rw-r--r-T 0/0       465 2010-05-20 13:03:39 etc/vmware/hostd/pools.xml
-rw-r--r-T 0/0       274 2010-05-08 09:11:23 etc/vmware/hostd/vmAutoStart.xml
-rw-r--r-T 0/0       404 2010-05-19 09:49:23 etc/vmware/hostd/vmInventory.xml
-rw-r--r-T 0/0       989 2010-05-06 10:57:25 etc/vmware/ssl/rui.crt
-rw-r--r-T 0/0       887 2010-05-06 10:57:25 etc/vmware/ssl/rui.key
-rw-r--r-T 0/0         0 2009-11-08 08:50:25 etc/vmware/vmkiscsid/initiatorname.iscsi
-rw-r--r-T 0/0         0 2009-11-08 08:50:25 etc/vmware/vmkiscsid/iscsid.conf
-rw-r--r-T 0/0       512 2010-05-22 10:56:30 etc/vmware/dvsdata.db
-rw------- 0/0     28301 2010-05-22 07:11:57 etc/vmware/esx.conf
-rw-r--r-T 0/0       159 2010-05-22 11:00:27 etc/vmware/license.cfg
-rw-r--r-T 0/0       114 2010-05-06 10:57:48 etc/vmware/snmp.xml
-rw------- 0/0        29 2010-05-08 09:39:38 etc/vmware/vmware.lic
-rw-r--r-T 0/0       866 2010-05-07 08:36:50 etc/dhclient-vmk0.leases
---------- 0/0       152 2010-05-19 18:43:11 etc/group
-rw-r--r-- 0/0       227 2010-05-20 12:43:06 etc/hosts
-rw-r--r-T 0/0      1568 2010-05-08 07:16:06 etc/inetd.conf
-rw-r--r-- 0/0         7 2010-05-22 10:18:22 etc/ntp.drift
-rw-r--r-- 0/0       362 2010-05-19 18:43:11 etc/passwd
-rw------- 0/0       512 2010-05-08 09:11:01 etc/random-seed
-rw-r--r-T 0/0        76 2010-05-20 12:43:06 etc/resolv.conf
-rw-r--r-T 0/0       323 2010-05-07 10:13:13 etc/shadow
-rw-r--r-T 0/0         0 2009-11-08 09:01:08 etc/sfcb/repository/root/interop/cim_indicationfilter.idx
-rw-r--r-T 0/0         0 2009-11-08 09:01:08 etc/sfcb/repository/root/interop/cim_indicationhandlercimxml.idx
-rw-r--r-T 0/0         0 2009-11-08 09:01:09 etc/sfcb/repository/root/interop/cim_listenerdestinationcimxml.idx
-rw-r--r-T 0/0         0 2009-11-08 09:01:09 etc/sfcb/repository/root/interop/cim_indicationsubscription.idx
-rw-r--r-T 0/0       119 2010-05-20 12:42:51 etc/ntp.conf
Document Actions