Enabling SSH with public key authentication on VMWare ESXi 4
How-to enable SSH on a VMWare ESXi 4.0 host
VMWare has SSH support using the Dropbear SSH server. This server is not enabled in a default installation. Having SSH access to the VMware host can be useful for many administration tasks. The fud-miesters would tell you (which aren't necessarily false):
- SSH isn't officially supported
- SSH is a security issue
This how-to describes:
- enabling SSH
- enabling SSH public authentication for root (which can be replaced by user public key auth)
- saving the SSH configuration so that it is persistent across system restarts
- enabling SSH public key authentication for users
- disabling password authentication
- disabling root SSH logins
Configuration
Enabling SSH
This procedure is well documented on the net. It requires console access (either physical access, or via a remote management card). By default SSH access is disabled for both IPv4 and IPv6.
1. From the ESXi console:
- press Alt+F1
- Type: 'unsupported'
- Enter the root password (Note: there is no prompt)
2. From the command prompt, edit the inetd configuration file '/etc/inetd.conf' and uncomment the SSH server configuration directive:
ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -K60
3. Restart the inetd daemon:
# kill -HUP `ps | grep inetd | cut -f 2 -d \ `
Public key authentication for root
Once the SSH server is running, the root user can authenticate with a password. If the password is weak, then authorised access may be able to be obtained.
The root users home directory is the root of the filesystem (i.e. it is not '/root') - this can be verified by inspection of '/etc/passwd'. Create a directory '/.ssh' and add SSH public keys to '/.ssh/authorized_keys'.
Note: Some users have moved the root users home directory by editing the '/etc/passwd' file. So that processes don't unexpectedly start in the wrong directory, I haven't made this change. It may well work ok.
Save the SSH configuration
The most common way I have seen to save the SSH configuration is to use the '/bootbank/oem.tgz' archive. This file seems to be used for oem support on this IBM machine, so I didn't want to get in the way of this. So I have gone for an alternative scheme.
Add a new '/bootbank/home.tgz' archive with the contents of all home directories (both the root users home directory, and users home directories).
tar -C / -czf "/bootbank/home.tgz" /.ssh /home
Edit the '/bootbank/boot.cfg' file and add "--- home.tgz" to the end of the modules parameter:
cat boot.cfg kernel=vmkboot.gz kernelopt= modules=vmk.gz --- sys.vgz --- cim.vgz --- oem.tgz --- license.tgz --- mod.tgz --- home.tgz build=4.0.0-208167 updated=1 bootstate=0
Public key authentication for users
Users created in a vSphere client are created without a home directory, and no shell.
Create the users home directory, and .ssh directory. e.g. for the user bob
# mkdir -p /home/bob/.ssh
Add the users SSH public key to '/home/user/.ssh/authorized_keys'
I found that unlike OpenSSH, the Dropbear server doesn't complain if the 'authorized_keys' file isn't owned by the user. I also found that when the machine was rebooted, the files were restored with root as the owner, files mode 644, and directories mode 755.
Disabling password authentication
Use the Dropbear '-w' and '-s' options to disable root logins, and disable password logins. Change the '/etc/inetd.conf' to add these options.
ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -K60 -w -s
This information must be saved by the VMware host back to '/bootbank/local.tgz'. Restart the inetd daemon:
# kill -HUP `ps | grep inetd | cut -f 2 -d \ `
Note: the '-w' option didn't work for me; as root could still authenticate with a public key.
Links
- http://www.techhead.co.uk/vmware-esxi-how-to-enable-ssh-connectivity
- http://www.yellow-bricks.com/2008/08/10/howto-esxi-and-ssh/
- http://professionalvmware.com/2009/05/unsupported-console-and-ssh-on-esxi-4/
- http://freshmeat.net/projects/dropbear/
- http://www.vm-help.com/esx40i/customize_oem_tgz.php
- Dropbear
ESXi v4.1
Appendices
Dropbear options
Dropbear sshd v0.52
Usage: ./dropbear [options]
Options are:
-b bannerfile Display the contents of bannerfile before user login
(default: none)
-d dsskeyfile Use dsskeyfile for the dss host key
(default: /etc/dropbear/dropbear_dss_host_key)
-r rsakeyfile Use rsakeyfile for the rsa host key
(default: /etc/dropbear/dropbear_rsa_host_key)
-F Don't fork into background
-E Log to stderr rather than syslog
-m Don't display the motd on login
-w Disallow root logins
-s Disable password logins
-g Disable password logins for root
-j Disable local port forwarding
-k Disable remote port forwarding
-a Allow connections to forwarded ports from any host
-p [address:]port
Listen on specified tcp port (and optionally address),
up to 10 can be specified
(default port is 22 if none specified)
-P PidFile Create pid file PidFile
(default /var/run/dropbear.pid)
-i Start for inetd
-W <receive_window_buffer> (default 131072, larger may be faster, max 1MB)
-K <keepalive> (0 is never, default 0)
-I <idle_timeout> (0 is never, default 0)
/etc/inetd.conf
The following is the default settings for SSH on a VMware ESXi host:
# Remote shell access # #ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -K60 #ssh stream tcp6 nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -K60 #telnet stream tcp nowait root /bin/busybox telnetd ++min=0,swap,group=shell #telnet stream tcp6 nowait root /bin/busybox telnetd ++min=0,swap,group=shellipkg.conf
/bootbank/oem.tgz
Note: '/bootbank' is a symlink to the same filesystem that '/vmfs/volumes/Hypervisor1' symlinks to./bootbank # tar tzvvf oem.tgz drwxr-xr-x 0/0 0 2009-11-17 02:49:32 usr/lib/vmware/vmkmod/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 etc/vmware/init/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 etc/vmware/pciid/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 sbin/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 usr/lib/ext/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 lib/cim/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 etc/cim/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 var/lib/sfcb/registration/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 etc/vmware/ -rw-r--r-- 0/0 438 2009-11-12 02:55:53 etc/vmware/support drwxr-xr-x 0/0 0 2009-11-17 02:49:32 etc/vmware/init/ -rw-r--r-- 0/0 262 2009-11-12 02:55:53 etc/vmware/oem.xml drwxr-xr-x 0/0 0 2009-11-17 02:49:32 etc/vmware/pciid/ drwxr-xr-x 0/0 0 2009-11-17 02:49:32 etc/ipmi/ -rw-r--r-- 0/0 637 2009-11-17 02:49:32 pkgdb.tgz
/bootbank/local.tgz
/bootbank # tar tzvvf local.tgz -rw------- 0/0 458 2010-05-06 10:57:25 etc/dropbear/dropbear_dss_host_key -rw------- 0/0 426 2010-05-06 10:57:23 etc/dropbear/dropbear_rsa_host_key -rw-r--r-- 0/0 51 2010-05-20 12:43:06 etc/sysconfig/network -rw-r--r-T 0/0 1721 2010-05-19 18:42:41 etc/vmware/hostd/authorization.xml -rw-r--r-T 0/0 199 2010-05-22 07:04:48 etc/vmware/hostd/hostsvc.xml -rw-r--r-T 0/0 465 2010-05-20 13:03:39 etc/vmware/hostd/pools.xml -rw-r--r-T 0/0 274 2010-05-08 09:11:23 etc/vmware/hostd/vmAutoStart.xml -rw-r--r-T 0/0 404 2010-05-19 09:49:23 etc/vmware/hostd/vmInventory.xml -rw-r--r-T 0/0 989 2010-05-06 10:57:25 etc/vmware/ssl/rui.crt -rw-r--r-T 0/0 887 2010-05-06 10:57:25 etc/vmware/ssl/rui.key -rw-r--r-T 0/0 0 2009-11-08 08:50:25 etc/vmware/vmkiscsid/initiatorname.iscsi -rw-r--r-T 0/0 0 2009-11-08 08:50:25 etc/vmware/vmkiscsid/iscsid.conf -rw-r--r-T 0/0 512 2010-05-22 10:56:30 etc/vmware/dvsdata.db -rw------- 0/0 28301 2010-05-22 07:11:57 etc/vmware/esx.conf -rw-r--r-T 0/0 159 2010-05-22 11:00:27 etc/vmware/license.cfg -rw-r--r-T 0/0 114 2010-05-06 10:57:48 etc/vmware/snmp.xml -rw------- 0/0 29 2010-05-08 09:39:38 etc/vmware/vmware.lic -rw-r--r-T 0/0 866 2010-05-07 08:36:50 etc/dhclient-vmk0.leases ---------- 0/0 152 2010-05-19 18:43:11 etc/group -rw-r--r-- 0/0 227 2010-05-20 12:43:06 etc/hosts -rw-r--r-T 0/0 1568 2010-05-08 07:16:06 etc/inetd.conf -rw-r--r-- 0/0 7 2010-05-22 10:18:22 etc/ntp.drift -rw-r--r-- 0/0 362 2010-05-19 18:43:11 etc/passwd -rw------- 0/0 512 2010-05-08 09:11:01 etc/random-seed -rw-r--r-T 0/0 76 2010-05-20 12:43:06 etc/resolv.conf -rw-r--r-T 0/0 323 2010-05-07 10:13:13 etc/shadow -rw-r--r-T 0/0 0 2009-11-08 09:01:08 etc/sfcb/repository/root/interop/cim_indicationfilter.idx -rw-r--r-T 0/0 0 2009-11-08 09:01:08 etc/sfcb/repository/root/interop/cim_indicationhandlercimxml.idx -rw-r--r-T 0/0 0 2009-11-08 09:01:09 etc/sfcb/repository/root/interop/cim_listenerdestinationcimxml.idx -rw-r--r-T 0/0 0 2009-11-08 09:01:09 etc/sfcb/repository/root/interop/cim_indicationsubscription.idx -rw-r--r-T 0/0 119 2010-05-20 12:42:51 etc/ntp.conf
