Re: ESXi 5.0.0 ssh configuration

nodice · ‎10-12-2011

Hey guys,

I'm currently trying to set up ssh using shared keys. Here's what I've done:

On Server:

- Enabled ssh through the F2 -> Troubleshooting Options menu

- created a ~/.ssh directory

On desktop:

- ran 'ssh-keygen -f id_dsa

- copied to ESXi server using: scp id_dsa.pub user@esxhost:~/.ssh/mykey.pub

On Server:

- cat ~/.ssh/mykey.pub >> ~/.ssh/authorized_keys

When I ssh to the ESXi server, it still prompts for passwords. All of the tutorials I have read have been for older versions of ESXi where you have to enable ssh through inetd.conf (my inetd.conf is empty). I'm wondering if there's anything different I should be doing? As far as I can tell, I've done the keys part correctly.

Any advice would be greatly appreciated.

RParker · ‎10-12-2011

you still need to validate who you are.. I wouldn't trust logging in without a prompt, that wouldn't be wise.

Besides there are tools like bitvise that can save the password, so when you create sessions it will login automatically (at least you can password protect your sessions).. I don't think putty can do this.

http://www.bitvise.com/tunnelier-download

nodice · ‎10-12-2011

The validation is done through the certificates, you generate a public and private certificate pair, copy the public one to the server you wish to login to without prompt and when you attempt to authenticate, the server checks your public key against the private key generated at the same time.

If you don't already have a certificate on the server, then you need to have the ability to get your certificate copied to it -- either through an administrator, or by password.

RParker · ‎10-12-2011

so that tool I posted, it doesn't require authentication once you save the session information, wouldn't that amount to the same thing?

your goal is to simply connect without getting prompted for password ....

nodice · ‎10-12-2011

It's the same thing except that I have tools I use that employ key auth (i.e. I don't need another app to do auth for me). Since key auth worked on previous versions of ESXi, I was hoping to get it going for 5.

RParker · ‎10-12-2011

nodice wrote:
It's the same thing except that I have tools I use that employ key auth (i.e. I don't need another app to do auth for me). Since key auth worked on previous versions of ESXi, I was hoping to get it going for 5.

OK, good point. It should work, but since I never had a need for this, I didn't realize 5 wasn't working. Hopefully someone else will have an answer for you.

vistajoe · ‎10-31-2011

For ssh logins to use the keys as you wish...

On Server:

- cat ~/.ssh/mykey.pub >> /etc/ssh/keys-root-/authorized_keys

chmod 600 /etc/ssh/keys-root-/authorized_keys

Once you have done the steps you listed and this step, you should be able

to ssh login (and scp or rsync) without being challenged for a password.

Hope this helps.

Joe

titaniumlegs · ‎03-14-2012

I know, old thread, but couple points:

In Joe's solution above, the extra dash (-) after root shouldn't be there. The location of key files is determined by the following entry in sshd_config:

AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

%u is a variable for username.

Also, the vSphere security guide offers https put and the vMA vifs command as ways to put user keys on ESXi.

Hoep this helps!

Share and enjoy! Peter If this helped you, please award points! Or beer. Or jump tickets.

eco1 · ‎03-26-2012

If the key trust is established is anything else required to be prompted for the key phrase?

Just ssh <ESXi host> ?

nodice · ‎03-26-2012

If the key trust is established then you should just be able to ssh <ESXi box> and you will be logged in without prompt.