WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Uncategorized / Using Google Authenticator To Provide Two-Factor Authentication For ESXi

Using Google Authenticator To Provide Two-Factor Authentication For ESXi

03.11.2013 by William Lam // 12 Comments

Last year, I came across an interesting open source project called Google Authenticator, which provides two-factor authentication by using both a PAM (Pluggable Authentication Module) module and a mobile application for generating one-time passcodes. This project sparked my curiosity and I wanted to see if I could get Google Authenticator to run on ESXi to provide additional security by requiring two-factor authentication when attempting to login to the ESXi Shell. After several attempts, I failed to get Google Authenticator working on ESXi and eventually gave up. I reported the behavior I saw in my environment in the Issues section of the project which did not yield any responses and I thought that was the end of that experiment.

Almost eight months later, I received a surprising email from two VMware engineers who were also interested in the Google Authenticator project and were able to figure out how to get Google Authenticator to work on ESXi. In sharing their findings, it turns out that the solution was actually quite simple and it just required commenting out three lines of C Macros in the Google Authenticator source code (tweak is documented in this blog post here). I was able to confirm the engineers findings in my home lab and was also able to build a custom Google Authenticator VIB for ESXi to help with the setup.

Disclaimer: This is not officially supported by VMware, use at your own risk

Installing Google Authenticator Custom VIB / Offline Bundle

Prerequisite:

  • Ensure that your ESXi host's clock is in sync with a proper time source (skew should be < 4minutes)
  • Keep a separate SSH connection open to your ESXi host, in case something goes wrong you can easily revert the changes else you can potentially lock yourself out

Step 1 - Download either the Google Authenticator VIB vghetto-google-auth.vib or offline bundle vghetto-google-auth.zip and upload it to the datastore of your ESXi host

Step 2 - You will need to change the acceptance level of your ESXi host to Community Supported as this is a requirement for any custom VIBs created. Run the following ESXCLI command:

esxcli software acceptance set --level CommunitySupported

Step 3 - To install Google Authenticator VIB, you will need to run the following ESXCLI command and specify the full datastore path of the VIB:

esxcli software vib install -v /vmfs/volumes/mini-local-datastore-1/vghetto-google-auth.vib -f

To install the Google Authenticator offline bundle, you will run the same command but instead of using the -v argument, you will specify the -d

Step 4 - You can verify the Google Authenticator was installed successfully by running the following ESXCLI command:

esxcli software vib get -n vGhetto-goog-auth

 

Configuring Google Authenticator & ESXi Configurations

Step 1 - Download the Google Authenticator app for your mobile phone. In this example, I am using the iPhone's Google Authenticator mobile app.

Step 2 - Next you will need to configure Google Authenticator for the ESXi host, run the google-authenticator command in the ESXi Shell which will start the setup.

You should see a URL as well as the secret key which you will need to enter into your Google Authenticator mobile app. You can either manually add your ESXi host into the mobile app by entering the secret key OR copy and paste the URL into a web browser which provides a QRC code that the mobile app can just read.

For all the prompted questions, you can use yes for the defaults.

Step 3 - You will need to add the following configuration to your SSHD configuration under /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Step 4 - You will also need to add the following entry to the following PAM configuration files /etc/pam.d/login and /etc/pam.d/sshd

auth   required   pam_google_authenticator.so

To add the entry into both files on the ESXi Shell, run the following two commands:

sed -i -e '3iauth       required     pam_google_authenticator.so\' /etc/pam.d/login
sed -i -e '3iauth       required     pam_google_authenticator.so\' /etc/pam.d/sshd

Note:  To ensure the above configuration persists after a reboot, you will need to add the two sed commands to /etc/rc.local.d/local.sh for ESXi 5.1 or /etc/rc.local for ESXi 5.0 hosts which will automatically add the entries upon bootup. 

Finally, you will need to restart the SSH daemon for the changes to go into effect by running the following command:

/etc/init.d/SSH restart

Step 5 - To validate that everything was configured correctly, open a new SSH session to your ESXi host. Instead of seeing the usual password prompt, you should now see a verification code prompt. Open up your Google Authenticator mobile app and enter the code that is displayed for your ESXi host and then enter the root password.

If everything was correct, you should now be authorized and logged into your ESXi host

Though the configuration could be a bit more automated including adding each ESXi host to your mobile application, this is a pretty nifty and free solution to provide two-factor authentication for your ESXi hosts. I am curious to see if others are interested in such functionality within ESXi or if this would be useful? Feel free to leave a comment.

Big thanks to VMware engineers who helped me get this solution to work!

More from my site

  • ESXi Google Authenticator Is Now A VMware Fling!
  • How To Compile Google Authenticator for ESXi
  • Quick Tip - SSH Server, Client & Authorized Key Configurations for ESXi 8.0 Update 2 and later
  • Custom ESXi "Dummy" Reboot VIB for vSphere Lifecycle Manager (vLCM)
  • Migrating ESXi to a Distributed Virtual Switch with a single NIC running vCenter Server

Categories // Uncategorized Tags // 2FA, ESXi, google authenticator, notsupported, pam, ssh, two factor, vib

Comments

  1. *protectedPinballas says

    03/11/2013 at 5:08 pm

    Hi William
    Great post. On this could you please share if the following is possible or coming down the line.
    Existing "OpenOTP" installation using Google Auth and OpenOTP communication with the AD 2008 Radius.
    Got this working 100% with VMware View 5.x
    The question is if it's at all possible to integrate OpenOTP + Google Auth gaining access to Virtual Center 5.x, SSO or the vMA appliance

    Thanks again for great reading

    Reply
    • *protectedWilliam Lam says

      03/13/2013 at 1:02 am

      I've not used OpenOTP, so I can't say if it'll work or not. If you are interested in OpenOTP/GAuth, I would highly recommend you file an FR or contact your local account rep to provide more details.

      Reply
    • *protectedvcdxorbust.com says

      04/11/2013 at 5:05 pm

      I posted a walkthrough for how to do Google Authenticator with VMware View using freeRADIUS and totpcgi in an active directory environment.

      http://vcdxorbust.com/totpcgi-and-freeradius-with-vmware-view/

      Reply
    • *protectedScott Webber says

      04/24/2013 at 2:03 pm

      This comment has been removed by the author.

      Reply
  2. *protectedKattrap says

    03/11/2013 at 6:36 pm

    You are in essence changing a shared account (root) to a single user. If I get hit by a bus, I wouldn't want my coworkers to need to go through some complicated recovery process.
    As a consultant that has seen a bit of intentional or not lost passwords through staff changes I would probably tell a client with 2factor'ed esxi servers to just rebuild (at least i hope they have vcenter and shared storage).

    My other thought, with all the phone-based 2factor auth, is that when I really need to use it, there will be something preventing me (dead battery/ broken phone/ lost). While I really like the idea of 2factor auth, anything that relies on yet another external gadget will fail.

    Other than all that debbie downer stuff, this is a really cool integration. 🙂

    Reply
    • *protectedHongkun Xi says

      03/12/2013 at 4:51 am

      There is emergency scratch codes in your SECRET file, in this case is /etc/vmware/.google-authenticator. These code is for situations like your mobile devices are lost at home, dead battery, etc. like you mentioned. Each emergency code can only be used once.

      Reply
    • *protectedKattrap says

      03/12/2013 at 9:26 pm

      Awesome! Thanks for that reply! It still doesn't get away from turning a shared root account into a single user account. Could it work somehow with the AD integration or is that a separate PAM module? I'll admit that I'm not using the AD integration right now, but ssh is also usually shutdown.

      Reply
    • *protectedWilliam Lam says

      03/13/2013 at 1:05 am

      The above example was just to show this 2FA was possible w/GAuth and to keep things simple I used just root, though even with a single account you can register it with multiple devices. GAuth itself also supports multiple user accounts and with a small change in the source code, you can easily support multiple users with their own SECRET file.

      Reply
  3. *protectedJeff Liao says

    06/23/2014 at 2:19 pm

    When localtime in Taiwan(CST+8) (Asia/Taipei) can't work.
    Could you give me a direction to fix it ?
    Thanks a lot.

    Reply
  4. *protectedFathul says

    05/15/2024 at 10:38 pm

    Hi William,

    Quick check if this setup works for login vcenter 8.0?

    Reply
  5. *protectedwar59312 says

    12/24/2024 at 11:36 am

    Any chance could be updated for ESXi 8.0?

    [will@esxi:~] wget --no-check-certificate https://s3.amazonaws.com/virtuallyghetto-download/vghetto-google-auth.zip
    Connecting to s3.amazonaws.com (52.217.225.72:443)
    saving to 'vghetto-google-auth.zip'
    vghetto-google-auth. 100% |***************************************************************************************************************************************************************************************************************************************************************************************************************************| 64073 0:00:00 ETA
    'vghetto-google-auth.zip' saved
    [will@esxi:~] esxcli software vib install -d /vghetto-google-auth.zip -f
    [ProfileValidationError]
    In ImageProfile (Updated) ESXi-8.0U3b-24280767-standard, the payload(s) in VIB virtuallyGhetto_bootbank_vGhetto-google-auth_5.1.0-0.0.1 does not have sha-256 gunzip checksum. This will prevent VIB security verification and secure boot from functioning properly. Please remove this VIB or please check with your vendor for a replacement of this VIB
    Please refer to the log file for more details.

    Reply

Trackbacks

  1. How To Compile Google Authenticator for ESXi | virtuallyGhetto says:
    02/28/2014 at 9:07 pm

    […] my previous article I demonstrated how to use Google Authenticator to provide two-factor authentication for ESXi using […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025