Shell access to an ESXi host provides essential maintenance, configuration and troubleshooting commands. It can be used in cases that cannot be handled through the standard vSphere Client. In my case, I tend to have SSH activated by default. From a security perspective it is recommended to keep SSH disabled, but with the management network behind a firewall I feel secure.
If you are using SSH daily I am sure that you are familiar with the public key authentication. PKI is an authentication method that relies on a generated public/private keypair and enables the login without entering a password. This method is faster and more secure than entering a password manually because every administrator can have his own public/private keypair.
This post explains the methods how to enable and automate public key authentication with ESXi Hosts.
If you do not already have an SSH Key, the first step is to create an SSH Keypair:
Creating an SSH Keypair with Linux
It's a standard task to create a keypair with Linux. The public key you need to put on your ESXi host is stored in ~/.ssh/id_rsa.pub:
~ # ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 99:b2:38:a0:47:1d:16:89:e5:e9:35:1c:cb:ac:1e:15 The key's randomart image is: +--[ RSA 4096]----+ | oo.E | | ...* + | | = O | | + = . o | | o = . S | | o o o o | |. . + . | | . . | | | +-----------------+ ~ # cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1y[...]
Creating an SSH Keypair with Windows
You need the following tools:
- PuTTY (SSH Client)
- PuTTYgen (SSH Key Generator)
- Pagent (SSH Auithentication Agent)
All programs are free and available for download here.
1. Open PuTTYgen
2. Click "Generate"
3. Move the mouse to generate random data. The result should look like this:
4. Click "Save public key" and choose a path
5. Click "Save private key" and choose a path. If you want to use this key for production you should set a passphrase at this point!
Enable the SSH authenticatien Agent
1. Start Pagent
2. Doubleclick the Pagent Trayicon
3. Click "Add Key" and open your private key file (.ppk)
Deploy public keys
You public key has to be stored in /etc/ssh/keys-root/authorized_keys at the ESXi host. The file works the same way as the authorized_keys file on an Linux host. Do not use the ssh-copy-id command to copy your public key to another system. This does not work for an ESXi host.
1. Connect to the ESXi host using PuTTY
2. Login as root
3. You should be familiar with vi to edit the keyfile:
~ # vi /etc/ssh/keys-root/authorized_keys
4. Press i to enter "Insert Mode"
5. Copy your public key (one line, starting with ssh-rsa) and paste it into vi (right click)
6. Press <ESC> :wq <ENTER> to save and quit vi
Deploy public keys with Host Profiles
SSH Keys are part of Host Profiles. If the key is deployed on the reference host, it will be applied to all host within the host profile. If you want to edit the profile manually, you can found the configuration in:
Security configuration > SSH authorized key for root user > SSH public key for root user > Key
Deploy public keys during the installation with kickstart
You can add this snippet to your Kickstart configuration to automatically enable SSH, remove the Shell Warning and add your SSH Key to the ESXi host:
#esx/ssh vim-cmd hostsvc/enable_ssh vim-cmd hostsvc/start_ssh esxcli system settings advanced set -o /UserVars/SuppressShellWarning -i 1 cat > /etc/ssh/keys-root/authorized_keys <<EOF ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAtuq[...] EOF #esxi/ssh end
If you are using SSH, you should also check the sshAutoConnect Plugin made by vmdude. This Plugin allows you to connect to an ESXi host directly from the vSphere Client.