Background: ESXi 4.1.u1 with Free Licenses
vCenter Client
I need to disable the ability for root to login to the ESXi host from vCenter Client but don't want to disable root completely. I would still need to be able to login with root at the console.
I have my ESXi hosts joined to Windows AD and have the ESX Admins group configured and working.
If disabling root access from vCenter isn't an potion with my version and licenses of ESXi, how do I limit root login to a specific or range of IP addresses?
TIA
Hello.
The only way I can think of to accomplish this is to place the management interface on a dedicated management network and only allow very specific traffic to it. VMware kb 1012382 has the port information.
Good Luck!
This should give you a hand with this - http://www.vm-help.com/esx41/root_permissions_for_autostart.php.
Dave
VMware Communities User Moderator
Free ESXi Essentials training / eBook offer
Now available - VMware ESXi: Planning, Implementation, and Security
Also available - vSphere Quick Start Guide
Short of limiting the role of the root account, I read somewhere you can use the pam modules to restrict which IP addresses root can login from.
As I'm going by memory (home for the day), please forgive me. I recall seeing a file in /etc/security that had a list of the local user accounts with a format of something like this:
+:root:ALL
What is this for and can it be used to limit how root can login?