Configuring Public/Private Key Authentication for ESXi SSH

by admin

As part of my VCAP-DCA study guide, I recently did a post on ESXi Lockdown mode. As discussed in the post, when lockdown mode is enabled, all access to the host, other than by vCenter, is blocked. This includes SSH, however there is an exception. When Public/Private key authentication is used, rather than a username and password, you can establish an SSH session to a host when lockdown mode is enabled. Cool huh?!

First of all, on the remote host, use “ssh-keygen” to create a private/public key pair:

vi-admin@uk202018:~> ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/vi-admin/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vi-admin/.ssh/id_dsa.
Your public key has been saved in /home/vi-admin/.ssh/id_dsa.pub.
The key fingerprint is:
e1:9c:4f:6b:8d:e9:da:ea:08:94:89:81:c5:88:d5:0c vi-admin@uk202018
The key's randomart image is:
+--[ DSA 1024]----+
|.+E+             |
|oo. o            |
|. .     .        |
|   o o o o       |
|  . +   S .      |
|   .     o =     |
|    .     * .    |
|     . . +       |
|      ..+oo      |
+-----------------+

Next, append the user’s public key to the /etc/ssh/keys-root/authorized_keys file on the ESXi host.

You can do this easily by viewing the contents of the id_dsa.pub file we’ve just created:

vi-admin@uk202018:~/.ssh> cat id_dsa.pub

And copying the contents into the /etc/ssh/keys-root/authorized_keys file on the host. Most SSH clients should allow you to cut and paste the contents of id_dsa.pub.

Now when an SSH connection is attempted, you will be authenticated without entering a username or password:

vi-admin@uk202018:~> ssh root@esxi1.vmlab.loc
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ #

Useful Links and Resources

http://blogs.vmware.com/vsphere/2012/07/enabling-password-free-ssh-access-on-esxi-50.html


Keep up to date with new posts on Buildvirtual.net - Follow us on Twitter:
Be Sociable, Share!

Comments on this entry are closed.

Previous post:

Next post: