VMware Cloud Community
peetz
Leadership
Leadership
‎01-26-2012 11:49 AM

Please vote for feature request: Add sudo to ESXi

Hi all,

talking about AD integrated ESXi hosts. With ESXi 5.0 VMware has introduced an important improvement in AD integration by making the name of the infamous "ESX Admins" AD group configurable (see my blog post here for instructions and an explanation of why this is important).

However, there is still a problem: You can log on to a local or remote console using an AD account that has administrative rights, but you won't have root privileges in this session, e.g. you cannot edit any configuration files, restart services etc. To gain root rights you need to use su, but that means that you still need to know and enter the password of the root user! From a compliance standpoint this is not acceptable, because the whole point of AD integration is that each VMware administrator uses his AD account for administration and does not even know the root password - to make sure that each change to the system can easily be related to a personal account (Well, for emergency cases e.g. when AD authentication is not available you still need someone who knows the root password or e.g. has it written down on a piece of paper in a sealed envelope).

The easiest way to achieve this would be to use the sudo command in the ESXi shell to run commands in root context without the need to know root's password. This is common practice when managing Unix/Linux servers.

Now the point is: sudo used to be available in ESX, but it is not available in ESXi.

So, my feature request for VMware is that easy: Add sudo to ESXi! It is the missing piece that would make AD integration a success story, finally.

Now give me your +1's ! (or tell me that I'm wrong and why 😉

Thanks

Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
Tags (3)
26 Replies
JonWeatherhead
Contributor
Contributor
‎12-28-2012 01:53 PM

You got my thumbs up +1

I have to ask though...

You did so well with creating a VIB for ProFTP... maybe you could do the same for SUDO?

Thanks,

Jon

0 Kudos
Just_Danny
Contributor
Contributor
‎07-03-2013 06:19 AM

+1 from here, it makes so much sense with all the pressure on compliance and security within a company allowing this would allow a better accountability for action done.

0 Kudos
Sudarshan_Bhart
Enthusiast
Enthusiast
‎10-12-2013 06:45 PM

There is no need of ROOT or SU to run commands as privileged user in ESXi 5.0 or later. You can use AD Authentication and "ESX Admins" group to provide privileged access to users wants to run any command via SSH.

0 Kudos
mcowger
Immortal
Immortal
‎10-14-2013 08:06 AM

...sudo add more than just privileged commands. It can LIMIT commands to certain sets, log all command executed, etc.

--Matt VCDX #52 blog.cowger.us
0 Kudos
esxi1979
Expert
Expert
‎08-05-2015 08:02 PM

Sudo was in esx but not in esxi Smiley Sad

Its not on even in esxi 6 ?

0 Kudos
vfk
Expert
Expert
‎08-06-2015 02:11 AM

Hi, I don't really see any benefit in having sudo for esxi host, vsphere/esxi supports using named accounts to login via with full privileges. Restricting Access to the ESXi Host Console - Revisiting Lockdown Mode | VMware vSphere Blog - VMwar...‌& vSphere 5.1 - Full Admin Support for Named User Accounts | VMware vSphere Blog - VMware Blogs

there is no longer a dependency on a shared root account.  ESXi 5.1 now allows assigning full administration rights to named users.  With this, users can now logon to the ESXi shell using individual accounts without the need to “su” to root, and because there is no longer a dependency on a shared root account all actions performed on the host are logged under the named user rather than the shared “root” account.

--- If you found this or any other answer helpful, please consider the use of the Helpful or Correct buttons to award points. vfk Systems Manager / Technical Architect VCP5-DCV, VCAP5-DCA, vExpert, ITILv3, CCNA, MCP
0 Kudos
WeberEInc
Contributor
Contributor
‎10-22-2015 07:49 PM

Hello,

I have situation where the vsphere client is showing a running guest but when you attempt to use the power menu item from the user interface (via the API) there are nothing but greyed-out entries.  Power-On, Power-Off, Suspend, Reset, Shutdown-Guest, Restart Guest...  All of them, greyed-out.  I have no idea how this guest got into this hard-locked state, but the APIs don't seem to give me any way of killing this box short of cycling the whole host which is not an option.  Online searching found this post http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=100434... which suggests SSH into host and kill the running guest...  However, without sudo and without the root password, this is impossible for me even though I have been added to the root group via the APIs...

If there is another way to accomplish this task, I'd love to know.  If not, then here's another strong vote for "Add sudo to ESXi"..

Thanks

BTW - This is a 2015 reply to a much older thread... anything recent on this topic?

Thanks again

0 Kudos