ESXi local user/role : Granularity of Control

StephenMoll · ‎01-30-2023

In vCenter it is possible to define a user role down to the privilege of being able to manage the SSH service.

vSphere Security - VMware vSphere 7.0 Page 370 : Section 16 “Defined Privileges”

Role > Host > Configuration > Security Profile and Firewall

From Table 16-19, Page 386

Host.Configuration.Security

profile and firewall

Allows configuration of Internet services, such as SSH,

Telnet, SNMP, and of the host firewall.

Host

Is it possible to define a similar role directly in the ESXi web client?

Sadly the documentation for the role options in the ESXi web client are not as well described in the Vmware documentation that I have been able to find. Would have liked to have seen more in vSphere Single Host Management - VMware Host Client - VMware vSphere 7.0.

maksym007 · ‎01-31-2023

I assume you will need to create a separate user for this or modify permission for current one

StephenMoll · ‎02-01-2023

I would like to create a new local user, that can enable and disable the ESXi SSH service.

We have software developed that was done using the root account. This now needs to be changed to a new account specifically for this software. It has been found that a new account can be used, but it so far seems to require full administrator role privileges, which seems a bit over kill. So this is more about fine tuning the privileges of this new account to just what is needed, and no more if possible.

lamw · ‎02-01-2023

Yes, this is possible. Both vCenter and ESXi have the capability of defining a custom Role that contains specific privileges that are available from each system (e.g. vCenter will have more than ESXi and some may be same while some may differ)

In general, privileges may not always map to a single function and may cover multiple areas of configuration, it really just depends. In the case of enabling/disable SSH and other services, you will need a new role defined within ESXi with the privilege of "Host.Config.NetService" which controls whether enabling/disabling services. By default, you also will need few more default privileges "System.Anonymous","System.Read" and "System.View" for any non-readOnly type of role (this is just how system works)

I was able to verify this by creating a custom role called "ssh" via the ESXi UI (its a little non-intuitive due to fact that there's hierarchy that isn't visible immediately), but basically its Host->Config->NetService (each dot in privilege key is a node in privilege hierarchy), see attached screenshot for details.

One limitation of both the ESXi Host Client UI and ESXCLI is that you can NOT assign custom roles and this is where you'll need to use the vSphere API which can also be done via PowerCLI as this is a capability of the platform but the UI just doesn't have this functionality.

You would use PowerCLI to connect directly to your ESXi host and then run the following command:

New-VIPermission -Role ssh -Principal ssh_service_user -Entity (Get-Datacenter)

This would not associate the local user (which I had to create) called ssh_service_ user to the custom role called ssh, this would give you a basic custom role that can perform the operation your asking for.

There is one more catch ... unless you add "Host.Config.SystemManagement" privilege to role, the ESXi Host Client UI will NOT display the "managed" tab which is needed to get to services. So while the minimum privilege is what I described above, you wouldn't see the UI get rendered and one trick I found was that if you provide the direct URL (e.g. https://192.168.30.156/ui/#/host/manage/services), then you can enable/disable SSH or other services BUT if you don't know it off hand, then you may want to add that other privilege which does add additional permissions.

While not ideal, it is possible to accomplish what you're looking for with slight caveat

StephenMoll · ‎02-01-2023

This sounds good William, many thanks for that.

I will take a look at this the next time I can get on the system.

StephenMoll · ‎02-03-2023

I've tried this and found the following:

I don't think I needed the PowerCLI command, although I would prefer to be able to set up the SSH user account entirely using PowerShell if possible.

Once I had set up my ssh role and user. I found that this account could be used to log into the web client and manage the SSH service.

The issue you highlighted about the "Manage" tab missing for the ssh user, is not actually an issue, because the context menu for "Host" in the Navigator has "Services" > "Disable Secure Shell (SSH)" added to it, along with "Disable Console Shell". These switch between Disable and Enable depending on the state of the services I guess.

The SSH one only seems to prevent (or allow) the creation of new SSH connections. Sessions that are already open are not forced to close by setting SSH to disabled. This suggests that the service itself is not controlled by this option, and is actually left running. I would ideally like to be able to switch on and off the SSHD as and when required.

The other option didn't seem to have any effect on anything I tried. With Console Shell enabled or disabled I was able to open SSH sessions and log into DCUI. So not sure what that is for.

The last niggle I found was the ssh user I created, was not able to actually open an SSH session. It would not authenticate and access was denied. I could only use the ssh user if it was given the built in Administrator role. Turning on ALL the permissions for ssh role so it seemed to match the Administrator role did not allow SSH sessions to be opened. I had to edit the /etc/permissions/access.conf file to change the "-" to a "+" for the ssh user. And then it worked, with the ssh role set up as you described. This i think presents a problem, because I don't think this file change will be persistent across reboots of the host. How do I do this?

lamw · ‎02-03-2023

PowerCLI command as mentioned _IS_ needed as there's no other way to assign custom role to a local user within the current interfaces ...

While context menu is _ONE_ alternative to missing manage option, the UI still assumes a certain level of privileges to show the rest of the services, which is expected as he privilege I shared is _NOT_ specific to SSH, so this is still an issue, even if it solves your requirement.

I can't speak to existing SSH sessions, but you could certainly setup things like idle timeouts to allow them to close sooner but I would have expected that if SSH was disabled, that existing connections would be removed.

Console Shell is when you're in front of the computer and logging in, it has NO affect on SSH

I'm also confused on why you're manually touching files ... it would be helpful to explain what you're trying to accomplish since I had responded to your initial request which was a specific role for a user to manage SSH enablement/disablement

StephenMoll · ‎02-03-2023

@lamw wrote:
PowerCLI command as mentioned _IS_ needed as there's no other way to assign custom role to a local user within the current interfaces ...

Under "Manage", "Security and users" tab create custom role and user.

Right click "Host" in the navigator and select "Permissions".

Select "Add user", In left drop down select the custom user, in right drop down select the custom role and click "Add user", badaboom-badabing, the custom role is assigned to the locally created user.

Or am I missing something?

@lamw wrote:
While context menu is _ONE_ alternative to missing manage option, the UI still assumes a certain level of privileges to show the rest of the services, which is expected as he privilege I shared is _NOT_ specific to SSH, so this is still an issue, even if it solves your requirement.

Understood.,

@lamw wrote:
I can't speak to existing SSH sessions, but you could certainly setup things like idle timeouts to allow them to close sooner but I would have expected that if SSH was disabled, that existing connections would be removed.

Yes, we have that, so indeed not a big issue.

@lamw wrote:
Console Shell is when you're in front of the computer and logging in, it has NO affect on SSH

Understood. This was more a comment on the other option available in the custom users "Services" context menu for the host. Not important, as the DCUI is not accessible on our systems.

@lamw wrote:
I'm also confused on why you're manually touching files ... it would be helpful to explain what you're trying to accomplish since I had responded to your initial request which was a specific role for a user to manage SSH enablement/disablement

Sorry this is a separate and follow on issue.

Trying to set up a local account in ESXi that can via the API turn on the SSH service and then connect to it using things like plink and WinSCP.

This has been developed using the root account. Its now time to create a separate account for this functionality. The permissions are not just limited to SSH, there are others that will be needed to allow the level of interaction required.

lamw · ‎02-03-2023

@StephenMoll wrote:

@lamw wrote:

PowerCLI command as mentioned _IS_ needed as there's no other way to assign custom role to a local user within the current interfaces ...

Under "Manage", "Security and users" tab create custom role and user.

Right click "Host" in the navigator and select "Permissions".

Select "Add user", In left drop down select the custom user, in right drop down select the custom role and click "Add user", badaboom-badabing, the custom role is assigned to the locally created user.

Or am I missing something?

Dope! I didn't realize there were other options when you right click! Thats really good to know

Sorry this is a separate and follow on issue.

Trying to set up a local account in ESXi that can via the API turn on the SSH service and then connect to it using things like plink and WinSCP.

This has been developed using the root account. Its now time to create a separate account for this functionality. The permissions are not just limited to SSH, there are others that will be needed to allow the level of interaction required.

OK, but it still not clear to me what you're trying to do or what isn't supposedly working. I'd strongly recommend you create a new thread to not cause confusion with the original question (mark it answered/complete) and then clearly describe what you're trying to do. The user that you've assigned the custom role CAN use API to enable/disable SSH and if you need SSH login for the user, then it needs to be granted when you create the account, see https://williamlam.com/2023/01/applying-additional-security-hardening-enhancements-in-esxi-8-0.html