WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Uncategorized / SSH Keys & Lockdown Mode Caveat in ESXi 5

SSH Keys & Lockdown Mode Caveat in ESXi 5

07.17.2011 by William Lam // 6 Comments

Hopefully everyone is familiar with ESXi's Lockdown Mode and what it means from a security standpoint. Here is a table of the behavior between normal and Lockdown Mode:

In ESXi 5, the use of SSH keys is officially supported without having to manually create any hacks to preserve .ssh directory as you did with prior releases of ESXi. If you use Lockdown Mode, there is an additional caveat to be aware of in which the use of SSH keys is able to by-pass the Lockdown Mode configuration for an ESXi 5 host.

Here is a quick example demonstrating the process from VMware's VCVA (vCenter Virtual Appliance):

Step 1 - Create SSH keys

vcenter50-1:~ # ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
a1:8c:24:60:0e:fe:9a:cf:4a:35:17:d6:89:ba:08:9d root@vcenter50-1
The key's randomart image is:
+--[ DSA 1024]----+
|o. |
|=. o . |
| o. .+ o. |
| ..+oo.. . |
|. E=..o S |
|. = + |
| = . |
|. o |
| ..o |
+-----------------+

Step 2 - Copy SSH public keys over to destination ESXi 5 host into the authorized file under /etc/ssh/keys-root/authorized_keys

vcenter50-1:~ # scp .ssh/id_dsa.pub root@vesxi50-4:/etc/ssh/keys-root/authorized_keys
Password:
id_dsa.pub 100% 606 0.6KB/s 00:00

Step 3 - Enable Lockdown Mode via vCenter

Step 4 - SSH into locked down ESXi 5 host utilizing SSH keys

By default the support of SSH is enabled, you will need to manually disable it to ensure that you are fully lockdown when you choose to enable Lockdown Mode. To disable SSH key support, you just need to comment the following line in /etc/ssh/sshd_config

# AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

The change takes effect right away and you do not need to restart the SSH daemon.

If you are interested in automatically disabling the use of SSH keys or you would like to copy an existing SSH key into your ESXi 5 host via kickstart, take a look at Automating ESXi 5.x Kickstart Tips & Tricks for more details.

More from my site

  • Running ESXi 5.0 & 5.1 on 2012 Mac Mini 6,2
  • Nested Virtualization Resources
  • That's so cool! Running ESXi 5.0 & 5.1 on Apple Mac Mini
  • vSphere Security Hardening Report Script for vSphere 5
  • How to Run Windows 8 Consumer Preview & Windows 8 Server on vSphere 5

Categories // Uncategorized Tags // ESXi 5.0, lockdown mode, ssh keys, vSphere 5.0

Comments

  1. *protectedKcmjr says

    11/16/2011 at 12:41 am

    I found a mistake in your article. To ENABLE SSH key support you need to un-comment the AuthorizedKeysFile line in /etc/ssh/sshd_config. While commented this will not work. I was bashing my head as to why this wasn't working until I removed the # from that line. Now all works as expected.

    Reply
  2. *protectedWilliam says

    11/16/2011 at 3:04 pm

    @Kcmjr,

    By default, SSH key support is enabled by default. I meant to say "comment" as the statement showed users how to disable it. I've fixed it

    Reply
  3. *protectedUnknown says

    04/10/2012 at 1:07 am

    A bit dated thread, but hopefully someone is still monitoring :).

    I have an ESXi 5 environment where I am trying to set up ssh keys between two standalone ESXi5 Hypervisors. When setting up keys from one host to the other, the /etc/ssh/keys-root/authorized_keys file survives a reboot, but the corresponding public key which was generated in /.ssh is lost upon reboot. Any suggestions ?

    Reply
    • *protectedWilliam says

      04/10/2012 at 1:17 am

      @Unknown,

      Please take a look at these two articles about persistent of files on ESXi:
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in.html
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in_09.html

      Reply
  4. *protectedJustin C. says

    05/17/2012 at 8:51 pm

    This is great for SSH'ing into an ESXi5 host from another Linux system, but how do you set up ESXi5 so that you can SSH into another Linux box FROM it using keys? ssh-keygen is buried a bit in ESXi5, but it is there. However, there is no /root/.ssh directory to place the id_rsa key into. Once you have placed the id_rsa.pub from an ESXi5 box onto the remote system, where does the local id_rsa private key belong? /.ssh?

    Reply
    • *protectedWilliam says

      05/18/2012 at 3:28 pm

      @Justin,

      Please take a look at these two articles about persistent of files on ESXi:
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in.html
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in_09.html

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025