I recently upgraded all my esx 4.0 hosts to 4.1 using update manager, everything went smoothly except i cannot connect to the esx host using ssh, i am getting an access denied message when connecting using root, the root password is correct as i can connect to the host using the vsphere client.
Any ideas what it could be?
Hi,
You can check if the firewall rules were not changed and still allow SSH communication. You can also have a look at the /etc/ssh/sshd_config and verify that the PermitRootLogin is set to Yes.
Hope it helps.
Regards
Franck
Hi,
Default security settings will not alow you to SSH with root account.
You can login with a standard user account and then use "su" command to
elevate to root. Or you can change setting as Franck mentioned.
You can login with a standard user account and then use "su" command to
elevate to root. Or you can change setting as Franck mentioned.
I do not think either way will work right away with ESX 4.1. Between 4.0 and 4.1 a change was introduced that demands that any SSH user must have the Administrator Role on the ESX host to log on, otherwise it the logon will be rejected.
skishore points out the 'best practice' way to setup and use SSH to the host, but I too have this issue now with hosts upgraded from 4.0 to 4.1. I will try to add my local user account to an administrative group, but has anyone else seen this and/or come up with a resolution? What specific group on the host will bypass this new security feature? Is this documented anywhere in the Release documentation? I didn't see it when I read the whole thing over again.
skishore points out the 'best practice' way to setup and use SSH to the host, but I too have this issue now with hosts upgraded from 4.0 to 4.1.
It was a best practice before 4.1, but is not anymore since it is not working. This is a quite strange change, but it is in the release notes. I do not have the link at the moment unfortunaly.
So the user that do the initial SSH login must have the role of local Administrator on the ESX host. If needing root access he/she can then use su if wanted after the logon.
I found a work-around to this so that you can enable SSH to a user, however when the ESX host is rebooted the setting reverts to normal. We will be implimenting AD authentication to our hosts now using VAS, as we do on all other UNIX/Linux hosts today. Here is the link to the article I found with work-around:
http://www.forgenet.tamilbot.com/?p=80190
Solution:
edit vi /etc/security/access.conf
you will see
+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
-:ALL:ALL –> which mean deny all users
add +:username:ALL –> this will allow user to login through SSH console
This method really works.. I was having the same problem. Thanks JonT
Thanks JonT , the best answer ))