ESXi Lockdown Mode

So finally got a chance to work with and figure out the ESXi lockdown mode. Once I actually saw it in person it make complete sense... Ways to access and ESXi host a) Using VirtualCenter and you AD credentials b) Using the VIC client direct to the ESXi host with the ESXi ID
c) Using the RCLI commands using the ESXi IDs d) standing in front of the server wtih direct console access (keyboard & mouse attached to server) and using the ESXi IDs
The chart below show the four way to access an ESXi host along with the user credentials used...
ESXi Lockdown Mode

Looking at this two thing jump out at me

Number 1 - if you are standing in front of you ESXi host and plan on making configuration changes you must have the 'root' password. No other ID will let you log in the console.

Number 2 - Lockdown mode really only disables the use of the actually 'root' ID from being used with either the VIC or the RCLI interface. Other users with 'root like' privileges that you create can still make changes to the ESXi host using these methods. Thus avoiding using VirtualCenter.

And since there is not a PAM module for ESXi if you do plan on creating users on each ESXi host you'll need to manage each host individually (IDs and Passwords), or go with generic account with 'root like' access which in that case you might as well just use the root ID.

Lockdow mode does make for a good idea if you don't have the need for any of the RCLI interfaces. This way you can keep the 'root' password in a safe, managed all the ESXi hosts via VirtualCenter and only break out the root password in the event you need to make changes to the ESXi host to fix a communiction issues with VirtualCenter.