First of all I discovered that the minimum keysize between SSH and dropbear keys are 768 BITS! Keep this
info everytime in your mind. Then creating the root keys is simpler, than creating the SSH-keys for other non-root
users. The later task tends to be tedious but not impossible. I gonna try to explain the simpler way (root SSH-Keys), if
you need advice for creating non-root SSH keys inside an ESXi box, come back to me.
You must have enabled the SSH server to login into the ESXi box. (Look here in this community forum for detailed explanation)
You must have set for security reasons a root password anyway
Do not enable lockdown mode, otherwise you can only login via the DCUI.
If you need more security restrictions you can put at the end of the ssh row a -g allowing root only to login using the identity file, not interactive anymore!
Keep your keys expecially the private one secure by placing it inside encrypted filesystems or limit the usage by chmod 600 for user root.
login as root into a fresh booted ESXi box.
create an hidden directory called /.ssh with mkdir /.ssh
create the RSA dropbear key by executing /bin/dropbearkey -t rsa -f id_rsa -s 768 > id_rsa.pub
create the DSA dropbear key by executing /bin/dropbearkey -t dss -f id_dsa -s 1024 > id_dsa.pub
open the /.ssh/id_rsa.pub and /.ssh/id_dsa.pub file and delete the first and last line with your favorite editor.
NOTE: Do not change anything else, only one line beginning with ssh-rsa or ssh-dss must exist.
make a copy of your RSA private dropbear key by executing cp id_rsa id_rsa.db
make a copy of your DSA private dropbear key by executing cp id_dsa id_dsa.db
now convert the RSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_rsa id_rsa.ssh.
now convert the DSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_dsa id_dsa.ssh.
NOTE: This are your private SSH-Keys the public key remains the same.In other Linux/Windows Environment copy
*id_rsa.ssh to id_rsa and id_dsa.ssh to id_dsa and you can use the same RSA/DSA keys everywhere:-)# *
Copy the RSA public key to authorized_keys with cat id_rsa.pub > authorized_keys
Append the DSA public key to authorized_keys with cat id_dsa.pub >> authorized_keys
NOTE: Please check that ALL private keys MUST have chmod 600 otherwise every SSH server refuse to use it, because other chmod are INSECURE!
If you plan to use PuTTY as I do always, copy the id_rsa.pub and id_rsa.ssh to a PuTTY environment, rename id_rsa.ssh to Id_rsa and use puttygen to create an id_rsa.ppk (Putty Private Key) file
You can also copy the the id_dsa.pub and id_dsa.ssh to the same place and create an id_dsa.ppk file
Copy the newly created id_rsa.ppk and id_dsa.ppk key to your ESXi box under /.ssh
in case you need it elsewhere and forgot how to build it again
Now put all the /.ssh stuff inside the oem.tgz
Reboot and get the message file out of an ESXi box trying from another place scp -i id_rsa root@<esxi-ip>:/var/log/messages .
NOTE: If everything went fine you will never be asked to provide the root password and can now execute batch commands via cron
If you now ask what is the difference between a RSA and a DSA Key and which is better to use. Here the answer:
Its been accepted knowledge for several years now that in relation to performance only,DSA is faster for Key Generation and Signing and RSA is faster for Verification.
So use RSA for copy, because verification is faster and DSA for SSL web server application, because creating and signing is faster.