I’ve never seen this before. I wrote an article about root SSH access to a ESXi system. Today I noticed a blog entry that describes how you can disable root access for SSH and create users which can use “su” to become root! Cool stuff.
Check the article here! Here’s the procedure:
Log in to the console,
edit the inetd.conf:vi /etc/inetd.conf
search for the following line (type: “/ssh”) (This is the line you uncommented to enable SSH in the first place.)
ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i
add -w to the end of this line: (type: “i” for insert mode):
ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -w
Exit and save the file (press escape, type “: x”)
Create a /home directorymkdir /home
Create a new unprivileged user:
useradd your_name
Change the password for this user:
passwd your_name
Reboot the server
reboot
Once rebooted,
Log in with SSH using your new unprivileged user
Usesu -
to change to the root user.
Tested on:
VMware ESXi 3.5.0_Update_2-103909
Hey Duncan,
you can even make this approach a little bit more secure:
- enable ssh-login via PPK
- disable ssh-login with password
- additionally, you can configure a sudo for your non-root user to not need to type in the root password:
—-
## Allow username to become root
username ALL=NOPASSWD:/bin/su -
—-
Thats how we secure ssh access to our ESX (and UNIX/LINUX) servers. The public key file is kept up-to-date on a server with a unique private key only for that purpose. From there it is distributed to all of the servers with PPK-login enabled. We yet havent tested it with ESXi, but may there it is possible too…?
BR
Steffen
I can’t connect after following these steps. What abuot the ESX firewall?
This is a tricky tip!
The home dir is beeing removed when you reboot the server.
Meaning that you can’t login anymore with your non-priviled users because the home-dir can’t be found!
Grz. Johan
the file or sub-dir on / dir which you created will be deleted everytime you reboot!
So, I succeed like this way.
mkdir /home
useradd someone
passwd someone
tar cvf home.tar /home
mv home.tar /opt
edit /etc/rc.local bottom line
tar xvf /opt/home.tar -C /
files in /opt dir never deledted after reboot.
So, I can now ssh to esxi host with non-root user account.
Sorry, non of above worked for me on ESXi5.0 (I know above are written based on ESXi4). Also nothing stayed in /opt, after reboot the tar file was gone.
How would you setup SSH keys so that the ESXi console session would be able to connect to a remote SSH server and NOT have to provide a password? I haven’t found a way to generate the keys ON the actual esxi box.
Use kill -HUP intead of reboot the server.
# kill -HUP
Use kill -HUP intead of reboot the server.
# kill -HUP inetd_proc_id
Anymore with your non-priviled users because the home-dir can’t be found!
Duncan,
I wanted to let you know that the person that put this together, made a change in the process that you have to do with update 2 of esxi
Here is what he put:
Update:
For some reason, the homedir directory seems to get deleted after a reboot. This causes the ssh session to get killed immediatly after authentication. Workaround: create the user with this command:
useradd your_name -M -d /
Creating the user this way, will set the homedir to “/” (same as for root user)
———
Change the password for this user:
passwd your_name
Reboot the server
reboot
Once rebooted,
Log in with SSH using your new unprivileged user
Use
su -
to change to the root user.
I did all the options which different persons described above and still get “Access denied”.
My approaches:
1st approach, added user by useradd name
2ns approach, added user by useradd name -M -d /
3rd approach, created /opt directory as described above.
None of them worked for me.
Any idea?
BTW, as I tried to execute kill -HUP inetd_proc_id, I got bad PID. where can I look for inter_proc_id
After you complete the steps above, you should edit your /etc/passwd file. Make sure to have the home directory be :/ and change the shell to be /bin/ash, not /bin/false, and it should work. Tested on ESXi 4.0, update 1. The author may consider adding this info to the article, as many people start solving the problem by reading it.
Is anyone else not able to disconnect from the server as a non-root user? I can ssh and scp fine, but when I type “exit” or after scp is finished it just hangs there forever and it’s killing a script I’m working on. It does not do this for the root user. Any ideas?
Did anyone get this working on exsi 4.0? This process doesn’t seem to work for me.
-Overkill
Let me put together!
useradd mihir -M -d /
This will create a mrb user with / home directory
Change password
passwd mrb
Change /etc/passwd file
— Look for the username you created, will look something like below..
mrb:x:505:505:Linux User,,,:/:/bin/sh or
mrb:x:505:505:Linux User,,,:/:/bin/false
change to /bin/ash
ps | inetd
kill -HUP inetd_ID
mrb@ESXiIP
su -
to become root..
Too complicated I can’t get it to work. Sigh…
It works.Thanks!
As a interior designer i enjoyed looking through this, great stuff, thanks .