WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Uncategorized / SSH Keys & Lockdown Mode Caveat in ESXi 5

SSH Keys & Lockdown Mode Caveat in ESXi 5

07.17.2011 by William Lam // 6 Comments

Hopefully everyone is familiar with ESXi's Lockdown Mode and what it means from a security standpoint. Here is a table of the behavior between normal and Lockdown Mode:

In ESXi 5, the use of SSH keys is officially supported without having to manually create any hacks to preserve .ssh directory as you did with prior releases of ESXi. If you use Lockdown Mode, there is an additional caveat to be aware of in which the use of SSH keys is able to by-pass the Lockdown Mode configuration for an ESXi 5 host.

Here is a quick example demonstrating the process from VMware's VCVA (vCenter Virtual Appliance):

Step 1 - Create SSH keys

vcenter50-1:~ # ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
a1:8c:24:60:0e:fe:9a:cf:4a:35:17:d6:89:ba:08:9d [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
|o. |
|=. o . |
| o. .+ o. |
| ..+oo.. . |
|. E=..o S |
|. = + |
| = . |
|. o |
| ..o |
+-----------------+

Step 2 - Copy SSH public keys over to destination ESXi 5 host into the authorized file under /etc/ssh/keys-root/authorized_keys

vcenter50-1:~ # scp .ssh/id_dsa.pub [email protected]:/etc/ssh/keys-root/authorized_keys
Password:
id_dsa.pub 100% 606 0.6KB/s 00:00

Step 3 - Enable Lockdown Mode via vCenter

Step 4 - SSH into locked down ESXi 5 host utilizing SSH keys

By default the support of SSH is enabled, you will need to manually disable it to ensure that you are fully lockdown when you choose to enable Lockdown Mode. To disable SSH key support, you just need to comment the following line in /etc/ssh/sshd_config

# AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

The change takes effect right away and you do not need to restart the SSH daemon.

If you are interested in automatically disabling the use of SSH keys or you would like to copy an existing SSH key into your ESXi 5 host via kickstart, take a look at Automating ESXi 5.x Kickstart Tips & Tricks for more details.

More from my site

  • Running ESXi 5.0 & 5.1 on 2012 Mac Mini 6,2
  • That's so cool! Running ESXi 5.0 & 5.1 on Apple Mac Mini
  • vSphere Security Hardening Report Script for vSphere 5
  • How to Run Windows 8 Consumer Preview & Windows 8 Server on vSphere 5
  • How to Configure Nested ESXi 5 to Support EVC Clusters

Categories // Uncategorized Tags // esxi5, lockdown mode, ssh keys, vSphere 5.0

Comments

  1. Kcmjr says

    11/16/2011 at 12:41 am

    I found a mistake in your article. To ENABLE SSH key support you need to un-comment the AuthorizedKeysFile line in /etc/ssh/sshd_config. While commented this will not work. I was bashing my head as to why this wasn't working until I removed the # from that line. Now all works as expected.

    Reply
  2. William says

    11/16/2011 at 3:04 pm

    @Kcmjr,

    By default, SSH key support is enabled by default. I meant to say "comment" as the statement showed users how to disable it. I've fixed it

    Reply
  3. Unknown says

    04/10/2012 at 1:07 am

    A bit dated thread, but hopefully someone is still monitoring :).

    I have an ESXi 5 environment where I am trying to set up ssh keys between two standalone ESXi5 Hypervisors. When setting up keys from one host to the other, the /etc/ssh/keys-root/authorized_keys file survives a reboot, but the corresponding public key which was generated in /.ssh is lost upon reboot. Any suggestions ?

    Reply
    • William says

      04/10/2012 at 1:17 am

      @Unknown,

      Please take a look at these two articles about persistent of files on ESXi:
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in.html
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in_09.html

      Reply
  4. Justin C. says

    05/17/2012 at 8:51 pm

    This is great for SSH'ing into an ESXi5 host from another Linux system, but how do you set up ESXi5 so that you can SSH into another Linux box FROM it using keys? ssh-keygen is buried a bit in ESXi5, but it is there. However, there is no /root/.ssh directory to place the id_rsa key into. Once you have placed the id_rsa.pub from an ESXi5 box onto the remote system, where does the local id_rsa private key belong? /.ssh?

    Reply
    • William says

      05/18/2012 at 3:28 pm

      @Justin,

      Please take a look at these two articles about persistent of files on ESXi:
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in.html
      http://www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in_09.html

      Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • How to bootstrap ESXi compute only node and connect to vSAN HCI Mesh? 01/31/2023
  • Quick Tip - Easily move or copy VMs between two Free ESXi hosts? 01/30/2023
  • vSphere with Tanzu using Intel Arc GPU 01/26/2023
  • Quick Tip - Automating allowed and not allowed Datastores for use with vSphere Cluster Services (vCLS) 01/25/2023
  • ESXi with Intel Arc 750 / 770 GPU 01/24/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023