Skip to content

VCSA6 Bash and SSH Key Authentication

The Linux Version of the vCenter Server is not new anymore but with vSphere 6.0 the vCenter Server Appliance (VCSA) has overtaken the Windows Version in many aspects. The completely rewritten linked mode removes the need for a Windows-based vCenter and the scalability of both appliances are identical.

VCSA6 is delivered as appliance based on openSUSE. Nevertheless its a Linux, VMware want's you to use the GUI. Unless you are in a testing environment I would highly recommend to limit shell usage to the following usage scenarios:

  • During Service Requests under advice of VMware GSS
  • For advanced troubleshooting
  • When required for complex deployments (eg. PSC 6.0 High Availability)

VCSA6 Default Shell
When you login to the appliance with SSH you see a new proprietary shell. You should definitely make yourself familiar with this shell as it might be the only available shell in the future. Many default commands are already available here, so whenever possible, try to use the default shell.

The warning message displayed when you start the the "real" shell speaks for itself:

---------- !!!! WARNING WARNING WARNING !!!! ----------

Your use of "pi shell" has been logged!

The "pi shell" is intended for advanced troubleshooting operations and while
supported in this release, is a deprecated interface, and may be removed in a
future version of the product. For alternative commands, exit the "pi shell"
and run the "help" command.

The "pi shell" command launches a root bash shell. Commands within the shell
are not audited, and improper use of this command can severely harm the
system.

Help us improve the product! If your scenario requires "pi shell," please
submit a Service Request, or post your scenario to the
communities.vmware.com/community/vmtn/server/vcenter/cloudvm forum.

 

VCSA and Public Key Authentication
The first step is to place you SSH public key onto the vCenter Server Appliance. Public Key authentication is an authentication method that relies on a generated public/private keypair and enables the login without entering a password. It's the most widely spread login method for Linux. If you are not familiar with SSH Public Key Authentication, read this post where I am explaining the basics.

  1. Login to the VCSA with your root password (Set during installation)
  2. Enable and start the Bash Shell
    Command> shell.set --enabled True
Command> shell

    vcsa6-welcome-screen

  3. Now we are inside the standard bash shell. Use the following commands to create a folder structure required for public key authentication.
    vcsa6:~ # cd /root
vcsa6:~ # mkdir .ssh
vcsa6:~ # chmod 700 .ssh
vcsa6:~ # cd .ssh
vcsa6:~ # touch authorized_keys
vcsa6:~ # chmod 600 authorized_keys
  4. The authorized_keys is a simple textfile where all public keys that are allowed to authenticate as root are listed. One per line. Add your key to the file by editing it with vi, or with echo/pipe:
    echo "ssh-rsa AAAAB[....] fgrehl" >> authorized_keys

    The file should look like this. One key per line in the format ssh-rsa [KEY] [COMMENT]:
    sshkey_3

  5. That's it. You can now login to the vCenter Server Appliance with your SSH Key.

When you login with your SSH you are still prompted for a password. You do not have to enter a password. Just pres Enter.
vcsa6-welcome-screen-with-ssh-key
I also noticed problems with some vCenter related functions when you're using a key to login:

Command> api list
Must be connected to a server.

Change the default Shell to Bash
If you want to change the default shell to bash, use the following command:

vcsa6:~ # chsh -s /bin/bash

This will change the root user to use bash as the default shell. The configuration is written to the /etc/passwd file. You can see (and change) the configuration there.
vcsa6-change-default-shell

With bash as default shell, WinSCP works flawlessly. You can use WinSCP to transfer data between your system and the VCSA:
vcsa6-with-winscp

Use the following command if you want to change the shell back to its default:

vcsa6:~ # chsh -s /bin/appliancesh

 

Get rid of Certificate Warnings
vcsa6-certificate-warning
You might be aware that Platform Services Controller vSphere 6 contains a Certificate Authority (CA). If you want your browser to trust those certificates, you can add the root certificate to your local trusted store.

  1. Copy the certificate from the VCSA to your local workstation. The certificate is located at:
    /var/lib/vmware/vmca/root.cer
  2. Right-Click the Certificate and select Install Certificatevcsa6-install-root-certificate
  3. Press Next >
  4. Select Place all certificates in the following store
  5. Click Browse...
  6. Select Trusted Root Certificate Authorities
    vcsa6-install-root-certificate-store
  7. Press OK and finish the wizard
  8. Press Yes when you receive a Security Warning.

The certificate warning should now be gone.

Related posts:

  1. Howto: ESXi SSH Public Key Authentication
  2. How to Install VCSA6 in VMware Workstation
  3. How to get "Use Windows session" Checkbox to work in VCSA6
  4. Using SSH Public Key Authentication with vMA
  5. Howto: AD Authentication in vCenter SSO 5.5
Tags:

2 thoughts on “VCSA6 Bash and SSH Key Authentication”

  2. B

    Good article.

    WinSCP:
    There is also a way to change your settings in WinSCP so it drops down to the real shell so it actually works http://www.v-front.de/2015/03/vcsa-60-tricks-shell-access-password.html)

    SSH Keys:
    I used to have a bunch of scripts that copied files off the VCSA (5.x versions) for backup purposes. The issue now is even though I can add the SSH keys, because the VCSA will wait for a "return character" before completing the full command, I am stuck (VMware might have done this by design.

    Reply

Leave a Reply to @daVikes Cancel reply

Your email address will not be published. Required fields are marked *