• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Yellow Bricks

by Duncan Epping

  • Home
  • ESXTOP
  • Stickers/Shirts
  • Privacy Policy
  • About
  • Show Search
Hide Search

ESXi ssh and non-root users

Duncan Epping · Aug 14, 2008 ·

I’ve never seen this before. I wrote an article about root SSH access to a ESXi system. Today I noticed a blog entry that describes how you can disable root access for SSH and create users which can use “su” to become root! Cool stuff.

Check the article here! Here’s the procedure:

Log in to the console,
edit the inetd.conf:

vi /etc/inetd.conf

search for the following line (type: “/ssh”) (This is the line you uncommented to enable SSH in the first place.)

ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i

add -w to the end of this line: (type: “i” for insert mode):

ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -w

Exit and save the file (press escape, type “: x”)
Create a /home directory

mkdir /home

Create a new unprivileged user:

useradd your_name

Change the password for this user:

passwd your_name

Reboot the server

reboot

Once rebooted,
Log in with SSH using your new unprivileged user
Use

su –

to change to the root user.
Tested on:
VMware ESXi 3.5.0_Update_2-103909

Share it:

  • Tweet

Related

Server esxi, Howto

Reader Interactions

Comments

  1. Steffen Özcan says

    14 August, 2008 at 16:35

    Hey Duncan,
    you can even make this approach a little bit more secure:
    – enable ssh-login via PPK
    – disable ssh-login with password
    – additionally, you can configure a sudo for your non-root user to not need to type in the root password:
    —-
    ## Allow username to become root
    username ALL=NOPASSWD:/bin/su –
    —-

    Thats how we secure ssh access to our ESX (and UNIX/LINUX) servers. The public key file is kept up-to-date on a server with a unique private key only for that purpose. From there it is distributed to all of the servers with PPK-login enabled. We yet havent tested it with ESXi, but may there it is possible too…?

    BR
    Steffen

  2. jon says

    25 November, 2008 at 19:11

    I can’t connect after following these steps. What abuot the ESX firewall?

  3. Johan says

    28 November, 2008 at 22:33

    This is a tricky tip!
    The home dir is beeing removed when you reboot the server.
    Meaning that you can’t login anymore with your non-priviled users because the home-dir can’t be found!

    Grz. Johan

  4. SangCheol Woo says

    28 December, 2008 at 09:39

    the file or sub-dir on / dir which you created will be deleted everytime you reboot!

    So, I succeed like this way.

    mkdir /home
    useradd someone
    passwd someone
    tar cvf home.tar /home
    mv home.tar /opt

    edit /etc/rc.local bottom line
    tar xvf /opt/home.tar -C /

    files in /opt dir never deledted after reboot.
    So, I can now ssh to esxi host with non-root user account.

    • Mahi says

      23 September, 2011 at 22:37

      Sorry, non of above worked for me on ESXi5.0 (I know above are written based on ESXi4). Also nothing stayed in /opt, after reboot the tar file was gone.

  5. jts says

    7 May, 2009 at 18:44

    How would you setup SSH keys so that the ESXi console session would be able to connect to a remote SSH server and NOT have to provide a password? I haven’t found a way to generate the keys ON the actual esxi box.

  6. danieln says

    11 August, 2009 at 15:01

    Use kill -HUP intead of reboot the server.

    # kill -HUP

  7. danieln says

    11 August, 2009 at 15:02

    Use kill -HUP intead of reboot the server.

    # kill -HUP inetd_proc_id

  8. просто says

    14 August, 2009 at 16:49

    Anymore with your non-priviled users because the home-dir can’t be found!

  9. Aaron says

    19 August, 2009 at 23:45

    Duncan,
    I wanted to let you know that the person that put this together, made a change in the process that you have to do with update 2 of esxi

    Here is what he put:
    Update:

    For some reason, the homedir directory seems to get deleted after a reboot. This causes the ssh session to get killed immediatly after authentication. Workaround: create the user with this command:

    useradd your_name -M -d /

    Creating the user this way, will set the homedir to “/” (same as for root user)

    ———

    Change the password for this user:

    passwd your_name

    Reboot the server

    reboot

    Once rebooted,

    Log in with SSH using your new unprivileged user

    Use

    su –

    to change to the root user.

  10. FHirad says

    25 September, 2009 at 23:17

    I did all the options which different persons described above and still get “Access denied”.

    My approaches:

    1st approach, added user by useradd name
    2ns approach, added user by useradd name -M -d /
    3rd approach, created /opt directory as described above.

    None of them worked for me.

    Any idea?

    BTW, as I tried to execute kill -HUP inetd_proc_id, I got bad PID. where can I look for inter_proc_id

  11. Ivo says

    22 December, 2009 at 17:24

    After you complete the steps above, you should edit your /etc/passwd file. Make sure to have the home directory be :/ and change the shell to be /bin/ash, not /bin/false, and it should work. Tested on ESXi 4.0, update 1. The author may consider adding this info to the article, as many people start solving the problem by reading it.

  12. Jesse says

    10 March, 2010 at 16:01

    Is anyone else not able to disconnect from the server as a non-root user? I can ssh and scp fine, but when I type “exit” or after scp is finished it just hangs there forever and it’s killing a script I’m working on. It does not do this for the root user. Any ideas?

  13. Overkill says

    19 May, 2010 at 20:34

    Did anyone get this working on exsi 4.0? This process doesn’t seem to work for me.
    -Overkill

  14. MrB says

    25 May, 2010 at 01:10

    Let me put together!

    useradd mihir -M -d /
    This will create a mrb user with / home directory
    Change password
    passwd mrb

    Change /etc/passwd file
    — Look for the username you created, will look something like below..

    mrb:x:505:505:Linux User,,,:/:/bin/sh or
    mrb:x:505:505:Linux User,,,:/:/bin/false

    change to /bin/ash

    ps | inetd
    kill -HUP inetd_ID

    [email protected]

    su –
    to become root..

  15. ibs symptoms says

    16 April, 2011 at 09:00

    Too complicated I can’t get it to work. Sigh…

  16. showfox says

    20 December, 2011 at 05:58

    It works.Thanks!

  17. interior says

    17 January, 2012 at 01:50

    As a interior designer i enjoyed looking through this, great stuff, thanks .

Primary Sidebar

About the author

Duncan Epping is a Chief Technologist in the Office of CTO of the Cloud Platform BU at VMware. He is a VCDX (# 007), the author of the "vSAN Deep Dive", the “vSphere Clustering Technical Deep Dive” series, and the host of the "Unexplored Territory" podcast.

Upcoming Events

Feb 9th – Irish VMUG
Feb 23rd – Swiss VMUG
March 7th – Dutch VMUG
May 24th – VMUG Poland
June 1st – VMUG Belgium

Recommended Reads

Sponsors

Want to support Yellow-Bricks? Buy an advert!

Advertisements

Copyright Yellow-Bricks.com © 2023 · Log in