Last year, I came across an interesting open source project called Google Authenticator, which provides two-factor authentication by using both a PAM (Pluggable Authentication Module) module and a mobile application for generating one-time passcodes. This project sparked my curiosity and I wanted to see if I could get Google Authenticator to run on ESXi to provide additional security by requiring two-factor authentication when attempting to login to the ESXi Shell. After several attempts, I failed to get Google Authenticator working on ESXi and eventually gave up. I reported the behavior I saw in my environment in the Issues section of the project which did not yield any responses and I thought that was the end of that experiment.
Almost eight months later, I received a surprising email from two VMware engineers who were also interested in the Google Authenticator project and were able to figure out how to get Google Authenticator to work on ESXi. In sharing their findings, it turns out that the solution was actually quite simple and it just required commenting out three lines of C Macros in the Google Authenticator source code (tweak is documented in this blog post here). I was able to confirm the engineers findings in my home lab and was also able to build a custom Google Authenticator VIB for ESXi to help with the setup.
Disclaimer: This is not officially supported by VMware, use at your own risk
Installing Google Authenticator Custom VIB / Offline Bundle
Prerequisite:
- Ensure that your ESXi host's clock is in sync with a proper time source (skew should be < 4minutes)
- Keep a separate SSH connection open to your ESXi host, in case something goes wrong you can easily revert the changes else you can potentially lock yourself out
Step 1 - Download either the Google Authenticator VIB vghetto-google-auth.vib or offline bundle vghetto-google-auth.zip and upload it to the datastore of your ESXi host
Step 2 - You will need to change the acceptance level of your ESXi host to Community Supported as this is a requirement for any custom VIBs created. Run the following ESXCLI command:
esxcli software acceptance set --level CommunitySupported
Step 3 - To install Google Authenticator VIB, you will need to run the following ESXCLI command and specify the full datastore path of the VIB:
esxcli software vib install -v /vmfs/volumes/mini-local-datastore-1/vghetto-google-auth.vib -f
To install the Google Authenticator offline bundle, you will run the same command but instead of using the -v argument, you will specify the -d
Step 4 - You can verify the Google Authenticator was installed successfully by running the following ESXCLI command:
esxcli software vib get -n vGhetto-goog-auth
Configuring Google Authenticator & ESXi Configurations
Step 1 - Download the Google Authenticator app for your mobile phone. In this example, I am using the iPhone's Google Authenticator mobile app.
Step 2 - Next you will need to configure Google Authenticator for the ESXi host, run the google-authenticator command in the ESXi Shell which will start the setup.
You should see a URL as well as the secret key which you will need to enter into your Google Authenticator mobile app. You can either manually add your ESXi host into the mobile app by entering the secret key OR copy and paste the URL into a web browser which provides a QRC code that the mobile app can just read.
For all the prompted questions, you can use yes for the defaults.
Step 3 - You will need to add the following configuration to your SSHD configuration under /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
Step 4 - You will also need to add the following entry to the following PAM configuration files /etc/pam.d/login and /etc/pam.d/sshd
auth required pam_google_authenticator.so
To add the entry into both files on the ESXi Shell, run the following two commands:
sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/login
sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/sshd
Note: To ensure the above configuration persists after a reboot, you will need to add the two sed commands to /etc/rc.local.d/local.sh for ESXi 5.1 or /etc/rc.local for ESXi 5.0 hosts which will automatically add the entries upon bootup.
Finally, you will need to restart the SSH daemon for the changes to go into effect by running the following command:
/etc/init.d/SSH restart
Step 5 - To validate that everything was configured correctly, open a new SSH session to your ESXi host. Instead of seeing the usual password prompt, you should now see a verification code prompt. Open up your Google Authenticator mobile app and enter the code that is displayed for your ESXi host and then enter the root password.
If everything was correct, you should now be authorized and logged into your ESXi host
Though the configuration could be a bit more automated including adding each ESXi host to your mobile application, this is a pretty nifty and free solution to provide two-factor authentication for your ESXi hosts. I am curious to see if others are interested in such functionality within ESXi or if this would be useful? Feel free to leave a comment.
Big thanks to VMware engineers who helped me get this solution to work!