WilliamLam.com

Easily manage ESXi & VCSA SSH login banner & MOTD in vSphere 6.0

by // 3 Comments

For customers who have a requirement to configure an SSH login banner and/or message of the day (MOTD) for ESXi or vCenter Server, this usually meant manually editing the /etc/issues (login banner) and /etc/motd (MOTD) configuration files. In vSphere 6.0, this has now been simplified by providing vSphere APIs to allow administrators to easily view and configure SSH login banner and MOTD for both ESXi and VCSA (this does not apply to vCenter Server for Windows).

For ESXi, there are two new ESXi Advanced properties called Config.Etc.issue and Config.Etc.motd and this can also be viewed and edited using the vSphere Web/C# Client as seen in the screenshot below:

esxi-issues-motd
For vCenter Server, there are also two new Advanced Options called etc.issue and etc.motd which can also be viewed and edited using the vSphere Web/C# Client as seen in the screenshot below:

vcsa-motd-issues

What's Displayed

The /etc/issues displays a banner during an SSH login session, this means that you will see the message during the login as highlighted in the screenshot below:

esxi-issues
The /etc/motd displays a banner after a successful SSH login as highlighted in the screenshot below:

esxi-motd

How to Automate

You can use both the vSphere API/CLI to modify the issues and motd configurations. In the examples below, I will be using PowerCLI to demonstrate retrieving and setting the two properties.

Retrieve /etc/issues for VCSA

Get-AdvancedSetting -Entity $vc -Name "etc.issue" | Format-List

Set /etc/issues for VCSA

$msg = "
beware
you
are
entering
the
house
of
Cormac
the
grey
"
Get-AdvancedSetting -Entity $vc -Name "etc.issue" | Set-AdvancedSetting -Value $msg

Retrieve /etc/motd for VCSA

Get-AdvancedSetting -Entity $vc -Name "etc.motd" | Format-List

Set /etc/motd for VCSA

Get-AdvancedSetting -Entity $vc -Name "etc.motd" | Set-AdvancedSetting -Value $msg

Retrieve /etc/issues for ESXi

Get-VmHostAdvancedConfiguration -Name "Config.Etc.issue"

Set /etc/issues for ESXi

$msg = "
beware
you
are
entering
the
house
of
Cormac
the
grey
"
Set-VMHostAdvancedConfiguration -Name "Config.Etc.issue" -Value $msg

Retrieve /etc/motd for ESXi

Get-VmHostAdvancedConfiguration -Name "Config.Etc.issue"

Set /etc/motd for ESXi

Set-VMHostAdvancedConfiguration -Name "Config.Etc.motd" -Value $msg

Quick Tip - How to Change ESXi SSH Prompt

by // 3 Comments

This quick tip was motivated by a comment from Jason Nash where he wished the hostname of an ESXi host is automatically displayed on the SSH prompt when logging into the system. Traditionally, systems providing SSH access will default the SSH prompt to use the format of [username@hostname current-working-directory], but for an ESXi host, it just displays the current working directory.

This is not that big of an issue, unless you have multiple connections opened up to various systems which is usually the case for the average System Administrator. Being able to quickly identify the host you on are without having to run the hostname command would be nice and I can see why Jason would want to have this. Having said that, this is something you can easily configure on ESXi as well as other UNIX/Linux system in terms of customizing the SSH prompt.

To change the SSH prompt on ESXi, you will need to edit /etc/profile.local configuration file and add PS1 environmental variable which controls the SSH prompt. The configuration file is automatically backed up and all changes will persist through a reboot.

If you want to enable the basic [username@hostname current-working-directory], add the following to the file:

PS1="[\u@\h:\w] "

Now when you login to your ESXi host, the SSH prompt will look like this:

You can even add colors to your SSH prompt, if you add the following to the file:

PS1="\e[0;41m[\u@\h \W]\$ \e[m"

It will look like this:

The above are just examples of the customization you can apply to the SSH prompt, for more options you can take a look at this reference or search for others online. You can also quickly test your changes by just setting the PS1 variable on the command-line and then logging in.

Since this is something that has annoyed me from time to time, I will be filing a Feature Request with engineering and hopefully we can have this as a default in the future. Thanks Jason for bringing this up!

ESXi Google Authenticator Is Now A VMware Fling!

by // 6 Comments

Earlier this year I wrote an article about using Google's Authenticator application to provide 2-Factor Authentication for connecting to ESXi using either the ESXi Shell locally or remotely over SSH. I also documented the process for compiling and building your own custom ESXi VIB with the help of two VMware engineers (Hongkun Xi & Jian Ouyang). Though the process was not terribly difficult, it did require minor source code modification and building a custom ESXi VIB. This also meant that you were required to lower the security acceptance of your ESXi host to community supported which is not a recommended practice. In addition, the custom ESXi VIB only supported a single administrator account which was root and additional work was required to support multiple administrators.

Well it turns out that both Hongkun and Jian have been quite busy enhancing this project in their spare time and have just released an ESXi Google Authenticator Fling! The Fling is distributed as a custom ESXi VIB which is signed by VMware, so you no longer have to lower the security of your ESXi host. It supports both ESXi 5.0 and 5.1 and it allows for multiple administrators to login using Google Authenticator.

Here is a list of the features that are supported:

  • Two-Factor Authentication for ESXi Shell and SSH access
  • Supports multiple administrators login on esx5.1, and single admin (root) on esx5.0
  • Support for 30-second TOTP codes
  • Support for emergency scratch codes
  • Protection against replay attacks

To learn more about the Fling and instructions on setting up the ESXi Google Authenticator, be sure to visit the VMware Lab's site.

If you have any feedback or questions, be sure to leave a comment on the Fling's web page here.