ESXi ssh and non-root users

August 14th, 2008

Filed under: esxi

I’ve never seen this before. I wrote an article about root SSH access to a ESXi system. Today I noticed a blog entry that describes how you can disable root access for SSH and create users which can use “su” to become root! Cool stuff.

Check the article here! Here’s the procedure:

Log in to the console,
edit the inetd.conf:

vi /etc/inetd.conf

search for the following line (type: “/ssh”) (This is the line you uncommented to enable SSH in the first place.)

ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i

add -w to the end of this line: (type: “i” for insert mode):

ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -w

Exit and save the file (press escape, type “: x”)
Create a /home directory

mkdir /home

Create a new unprivileged user:

useradd your_name

Change the password for this user:

passwd your_name

Reboot the server

reboot

Once rebooted,
Log in with SSH using your new unprivileged user
Use

su -

to change to the root user.
Tested on:
VMware ESXi 3.5.0_Update_2-103909

Steffen Özcan
August 14th, 2008 at 16:35

Hey Duncan,
you can even make this approach a little bit more secure:
- enable ssh-login via PPK
- disable ssh-login with password
- additionally, you can configure a sudo for your non-root user to not need to type in the root password:
—-
## Allow username to become root
username ALL=NOPASSWD:/bin/su -
—-

Thats how we secure ssh access to our ESX (and UNIX/LINUX) servers. The public key file is kept up-to-date on a server with a unique private key only for that purpose. From there it is distributed to all of the servers with PPK-login enabled. We yet havent tested it with ESXi, but may there it is possible too…?

BR
Steffen
Confluence: ??????
September 25th, 2008 at 05:38

??ESXi ?SSH…

??console: ??:…