Re: ESX 4 host security

iceman93 · ‎07-21-2010

Hi -

I have used my kickstart script to build multiple ESX 4 hosts. Worked wonderfully. However last night I used the same ks.cfg to build another ESX 4 host and ran into security issue when trying to login using PUTTY. Just to clarify I'm logging in with my own account and not as "root" using AD authentication.

I've validated that my account does exist on the host as well as other peers created from kickstart script. No one is able to login getting "Access Denied".

Did I overlook something simple and just not thinking properly today?

Thanks!

f10 · ‎07-21-2010

Hi,

Ensure that all the requirements mentioned in KB http://kb.vmware.com/kb/1021970 are met. If this KB does not resolve the issue it would be interesting to see the output of /usr/bin/esxcfg-authconfig -a

I hope this information helps

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

Regards, Arun Pandey VCP 3,4,5 | VCAP-DCA | NCDA | HPUX-CSA | http://highoncloud.blogspot.in/ If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

iceman93 · ‎07-21-2010

It was helpful and I have validated the kb article. See sample of kickstart script below. Hope this helps.

Can't get results output from /usr/bin/esxcfg-authconfg -a until able to log into host.

Install or Upgrade

install cdrom

can test the script with the following

#dryrun

#Network install type

network --bootproto=static --ip=XXXXXXXX --gateway=XXXXXXX --netmask=XXXXXXXXX --hostname=hostname.xxx.xxx --nameserver=DNS server ,DNS server --device=vmnic0 --addvmportgroup=0

root Password

rootpw --iscrypted XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Authconfig

authconfig --enableshadow --enablemd5

Regional Settings

keyboard us

timezone America/Chicago

Firewall settings

firewall --allowOutgoing

Enable reboot after script

reboot

Boot Config

bootloader --location=mbr

Disk Partitioning

clearpart --firstdisk --overwritevmfs

part /boot --fstype=ext3 --size=2000 --onfirstdisk --asprimary

part hostname-local --fstype=vmfs3 --size=50000 --grow --onfirstdisk

part None --fstype=vmkcore --size=100 --onfirstdisk

Create the vmdk on the cos vmfs partition.

virtualdisk esxconsole --size=40000 --onvmfs=hostname-local

Partition the virtual disk.

part / --fstype=ext3 --size=20000 --grow --onvirtualdisk=esxconsole

part swap --fstype=swap --size=1600 --onvirtualdisk=esxconsole

part /var --fstype=ext3 --size=4000 --grow --onvirtualdisk=esxconsole

part /home --fstype=ext3 --size=10000 --grow --onvirtualdisk=esxconsole

part /opt --fstype=ext3 --size=2000 --grow --onvirtualdisk=esxconsole

part /tmp --fstype=ext3 --size=2000 --grow --onvirtualdisk=esxconsole

Accept the EULA

vmaccepteula

%post --interpreter=bash

/usr/bin/sleep 90

Enable Kerberos Auth

/usr/sbin/esxcfg-auth --enablead --addomain=domaint --addc=domain

Create user ID/s to enable ssh to host with DOMAINS ID

/usr/sbin/useradd -c userid

%post --interpreter=bash

Create post-config script

cat << \EOF > /etc/rc3.d/s99postconf

#!/bin/bash

Open firewall ports for appropriate services

/usr/sbin/esxcfg-firewall --openport 88,tcp,out,KerberosClientTCP

/usr/sbin/esxcfg-firewall -blockOutgoing

/usr/sbin/esxcfg-firewall -e ntpClient

/usr/sbin/esxcfg-firewall -e activeDirectorKerberos

/usr/sbin/esxcfg-firewall -e smbClient

/usr/sbin/esxcfg-firewall -e sshServer

Configure 64-bit queue depth on QLogic adapters

/usr/sbin/esxcfg-module -s ql2xmaxqdepth=64 qla2300_707_vmw

/usr/sbin/esxcfg-boot -b

echo “Removing automated post script.”

rm /etc/rc3.d/s99postconf

EOF

chmod +x /etc/rc3.d/s99postconf

iceman93 · ‎07-22-2010

I've fingured out my issues. NTP problem.

Thanks

All

ESX 4 host security