nodice
Contributor
Contributor

ESXi 5.0.0 ssh configuration

Hey guys,

I'm currently trying to set up ssh using shared keys.  Here's what I've done:

On Server:

- Enabled ssh through the F2 -> Troubleshooting Options menu

- created a ~/.ssh directory

On desktop:

- ran 'ssh-keygen -f id_dsa

- copied to ESXi server using: scp id_dsa.pub user@esxhost:~/.ssh/mykey.pub

On Server:

- cat ~/.ssh/mykey.pub >> ~/.ssh/authorized_keys

When I ssh to the ESXi server, it still prompts for passwords.  All of the tutorials I have read have been for older versions of ESXi where you have to enable ssh through inetd.conf (my inetd.conf is empty).  I'm wondering if there's anything different I should be doing?  As far as I can tell, I've done the keys part correctly.

Any advice would be greatly appreciated.

0 Kudos
9 Replies
RParker
Immortal
Immortal

you still need to validate who you are.. I wouldn't trust logging in without a prompt, that wouldn't be wise.

Besides there are tools like bitvise that can save the password, so when you create sessions it will login automatically (at least you can password protect your sessions).. I don't think putty can do this.

http://www.bitvise.com/tunnelier-download

0 Kudos
nodice
Contributor
Contributor

The validation is done through the certificates, you generate a public and private certificate pair, copy the public one to the server you wish to login to without prompt and when you attempt to authenticate, the server checks your public key against the private key generated at the same time.

If you don't already have a certificate on the server, then you need to have the ability to get your certificate copied to it -- either through an administrator, or by password.

0 Kudos
RParker
Immortal
Immortal

so that tool I posted, it doesn't require authentication once you save the session information, wouldn't that amount to the same thing?

your goal is to simply connect without getting prompted for password ....

0 Kudos
nodice
Contributor
Contributor

It's the same thing except that I have tools I use that employ key auth (i.e. I don't need another app to do auth for me).  Since key auth worked on previous versions of ESXi, I was hoping to get it going for 5.

0 Kudos
RParker
Immortal
Immortal

nodice wrote:

It's the same thing except that I have tools I use that employ key auth (i.e. I don't need another app to do auth for me).  Since key auth worked on previous versions of ESXi, I was hoping to get it going for 5.

OK, good point.  It should work, but since I never had a need for this, I didn't realize 5 wasn't working.  Hopefully someone else will have an answer for you.

0 Kudos
vistajoe
Contributor
Contributor

For ssh logins to use the keys as you wish...

On Server:

- cat ~/.ssh/mykey.pub >> /etc/ssh/keys-root-/authorized_keys

  chmod 600 /etc/ssh/keys-root-/authorized_keys

Once you have done the steps you listed and this step, you should be able

to ssh login (and scp or rsync) without being challenged for a password.

Hope this helps.

Joe

0 Kudos
titaniumlegs
Enthusiast
Enthusiast

I know, old thread, but couple points:

In Joe's solution above, the extra dash (-) after root shouldn't be there.  The location of key files is determined by the following entry in sshd_config:

AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

%u is a variable for username.

Also, the vSphere security guide offers https put and the vMA vifs command as ways to put user keys on ESXi.

Hoep this helps!

Share and enjoy! Peter If this helped you, please award points! Or beer. Or jump tickets.
0 Kudos
eco1
Contributor
Contributor

If the key trust is established is anything else required to be prompted for the key phrase?

Just ssh <ESXi host> ?

0 Kudos
nodice
Contributor
Contributor

If the key trust is established then you should just be able to ssh <ESXi box> and you will be logged in without prompt.

0 Kudos