WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / How to enable SSH security banner on ESXi

How to enable SSH security banner on ESXi

03.19.2011 by William Lam // 3 Comments

There was a pretty interesting question on the VMTN forums this week about adding a security banner to ESXi prior to user authentication via SSH. With classic ESX, this can easily be enabled by updating the "Banner" entry in /etc/sshd/sshd_config and specifying the path to the file containing your banner. With ESXi, OpenSSH is not being used for the SSH daemon/client, but rather a server/client with a much smaller footprint called Dropbear.

Dropbear not only provides a server/client but it also includes key generator/converter and secure copy (scp) all bundled into a single binary under /sbin/dropbearmulti. To access the different functions, you would just need to create a symlink to (dropbear,dbclient,dropbearkey,dropbearconvert and scp) which is already enabled by default from VMware with the exception of dropbear which is for the server. You can see the dropbear process spawn when you are logged into the Busybox Console (Tech Support Mode) using "ps" command.

Here is what that looks like:

What you may not notice is that there are some additional arguments being passed to the dropbear utility. Dropbear is launched using inetd and it's configurations are defined in the /etc/inetd.conf file.

You may wonder if there are some additional options that dropbear supports? The answer is yes and we can check for these options by manually creating a symlink from /bin/dropbear to /sbin/dropbearmulti and running dropbear -h option.

Note: The symlink creation of "dropbear" is not needed to enable security banner

As you can see there are a ton of additional options including support for a banner file using the -b option.

To enable this, we will first create a banner and for this example, I will be storing it under /etc/banner

Next, we will need to update the dropbear arguments to include the banner file, you will need to update /etc/inetd.conf and specify the path to your banner file.

Next you will need to restart inetd process and use kill -HUP command.

Now if you try to login to your ESXi host via SSH, you should now see the new banner be presented prior to authenticating to the host.

Now before you jump off and start thinking about a creative banner, you should note that changes within the ESXi Busybox Console are not always preserved and persisted across reboots. This is not a well known fact and the reason for this is ESXi is loaded into memory after it boots up.

There are certain configuration files (e.g. /etc/inetd.conf) that are automatically backed up through a cronjob which looks for particular files under /etc that have been marked with the stickybit. A user can not manually mark a file with the stickybit and have it automatically backed up, it requires one additional file which is implemented by the VisorFS. ESXi creates a copy of these stickybit files and renames the original as .#filename. The backup process will then look for any .#* files and back those up. Due to this special permission mechanism, you can not manually create/touch files with this format as explained by a VMware employee on this VMTN thread.

An alternative to this, which is one that I have used in the past is to update the /etc/rc.local file which is automatically backed up. Entries in this file will be executed after the host has booted up and it is the perfect place to re-create our banner file as it will not be persisted across reboots. You will create a simple here document in the script which contains the contents of your banner file, in this example, I am storing it in /etc/banner

Once you have updated and saved /etc/rc.local file, you will need to manually run a backup to ensure we have a good backup in case the host reboots. You can do so by running /sbin/auto-backup.sh which will create the latest backup and store it under /bootbank. You now have successfully enabled a security banner on ESXi and it persist through reboots.

Note: You could also have stored your banner under local VMFS datstore and/or other datastore, but it is probably best that you keep it under normal filesystem paths.

More from my site

  • Potential ESX(i) 4.1 Update 1 upgrade caveat
  • ESXi 4.1 - Major Security Issue
  • Quick Tip - API for Broadcom Security Advisories
  • Applying additional security hardening enhancements in ESXi 8.0
  • Automating Intel Sighting remediation using PowerCLI (SSH not required)

Categories // Uncategorized Tags // dropbear, ESXi 4.1, security

Comments

  1. *protectedMichael Barto says

    05/04/2011 at 5:31 am

    How would you perform an upload script on Esxi from a remote Linux system and then download a file it created to then Linux system? If this was real Linux, one could use ssh pairs. But a solution eludes me. Hey how could get a display of esxcfg-info to a remote Linux machine.

    Reply
  2. *protectedAndrew Griffith says

    11/22/2011 at 3:08 pm

    Why can't I create a banner file and put text into it? This is what I get as root login:
    #!/bin/sh
    echo "^[[2J ${INDENTATION:-}^[[01;33mESXi 5.0.0 ^[[01;34mhttp://www.vmware.com^[[00;00m
    ${INDENTATION:-}Copyright (c) 2007-2011 VMware, Inc."
    ~
    ~
    ~
    - banner [Readonly] 1/4 25%

    I can't "cat > banner" either.

    Please let me know how to get past this.

    Andy

    Reply

Trackbacks

  1. Blog Series: ESXi 5 STIG – ESXi Server SSH Daemon | VM Field Tips says:
    12/24/2016 at 8:53 pm

    […] build it at each boot via the local.sh file. You can see how to do this over on William's blog at How to Enable SSH Security Banner on ESXi, toward the end of the article. I will also be covering this method in the next article on SSH […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025