How to create a root keypair files for dropbear, SSH and PuTTY inside an ESXi Server

Version 15

    First of all I discovered that the minimum keysize between SSH and dropbear keys are 768 BITS! Keep this

    info everytime in your mind. Then creating the root keys is simpler, than creating the SSH-keys for other non-root

    users. The later task tends to be tedious but not impossible. I gonna try to explain the simpler way (root SSH-Keys), if

    you need advice for creating non-root SSH keys inside an ESXi box, come back to me.

     

    Prerequisites:

    • You must have enabled the SSH server to login into the ESXi box. (Look here in this community forum for detailed explanation)

    • You must have set for security reasons a root password anyway

    • Do not enable lockdown mode, otherwise you can only login via the DCUI.

    • If you need more security restrictions you can put at the end of the ssh row a -g allowing root only to login using the identity file, not interactive anymore!

     

    Security advice:

    Keep your keys expecially the private one secure by placing it inside encrypted filesystems or limit the usage by chmod 600 for user root.

     

    Steps:

    1. login as root into a fresh booted ESXi box.

    2. create an hidden directory called /.ssh with mkdir /.ssh

    3. create the RSA dropbear key by executing /bin/dropbearkey -t rsa -f id_rsa -s 768 > id_rsa.pub

    4. create the DSA dropbear key by executing /bin/dropbearkey -t dss -f id_dsa -s 1024 > id_dsa.pub

    5. open the /.ssh/id_rsa.pub and /.ssh/id_dsa.pub file and delete the first and last line with your favorite editor.
      NOTE: Do not change anything else, only one line beginning with ssh-rsa or ssh-dss must exist.

    6. make a copy of your RSA private dropbear key by executing cp id_rsa id_rsa.db

    7. make a copy of your DSA private dropbear key by executing cp id_dsa id_dsa.db

    8. now convert the RSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_rsa id_rsa.ssh.

    9. now convert the DSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_dsa id_dsa.ssh.
      NOTE: This are your private SSH-Keys the public key remains the same.In other           Linux/Windows Environment copy   
      *id_rsa.ssh to id_rsa and id_dsa.ssh to id_dsa and you can use           the same RSA/DSA keys everywhere:-)# *

    10. Copy the RSA public key to authorized_keys with cat id_rsa.pub > authorized_keys

    11. Append the DSA public key to authorized_keys with cat id_dsa.pub >> authorized_keys
      NOTE: Please check that ALL private keys MUST have chmod 600 otherwise every SSH server refuse to use it, because other chmod are INSECURE!

    12. If you plan to use PuTTY as I do always, copy the id_rsa.pub and id_rsa.ssh to a PuTTY environment, rename id_rsa.ssh to Id_rsa and use puttygen to create an id_rsa.ppk (Putty Private Key) file

    13. You can also copy the the id_dsa.pub and id_dsa.ssh to the same place and create an id_dsa.ppk file

    14. Copy the newly created id_rsa.ppk and id_dsa.ppk key to your ESXi box under /.ssh
                                                                                                                               in case you need it elsewhere and forgot how to build it again http://communities.vmware.com/images/emoticons/happy.gif

    15. Now put all the /.ssh stuff inside the oem.tgz

    16. Reboot and get the message file out of an ESXi box trying from another place scp -i id_rsa root@<esxi-ip>:/var/log/messages .
      NOTE: If everything went fine you will never be asked to provide the root password and can now execute batch commands via cron

     

    If you now ask what is the difference between a RSA and a DSA Key and which is better to use. Here the answer:

    Its been accepted knowledge for several years now that in relation to performance only,DSA is faster for Key Generation and Signing and RSA is faster for Verification.

    So use RSA for copy, because verification is faster and DSA for SSL web server application, because creating and signing is faster.