VMware Cloud Community
Cannoli
Contributor
Contributor
‎05-24-2011 05:28 PM

How to disable or limit root login to ESXi host via vCenter Client?

Background: ESXi 4.1.u1 with Free Licenses

vCenter Client

I need to disable the ability for root to login to the ESXi host from vCenter Client but don't want to disable root completely.  I would still need to be able to login with root at the console.

I have my ESXi hosts joined to Windows AD and have the ESX Admins group configured and working.

If disabling root access from vCenter isn't an potion with my version and licenses of ESXi, how do I limit root login to a specific or range of IP addresses?

TIA

0 Kudos
3 Replies
vmroyale
Immortal
Immortal
‎05-24-2011 05:47 PM

Hello.

The only way I can think of to accomplish this is to place the management interface on a dedicated management network and only allow very specific traffic to it.  VMware kb 1012382 has the port information.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
0 Kudos
Dave_Mishchenko
Immortal
Immortal
‎05-24-2011 05:49 PM

This should give you a hand with this - http://www.vm-help.com/esx41/root_permissions_for_autostart.php.

Dave
VMware Communities User Moderator

Free ESXi Essentials training / eBook offer

Now available - VMware ESXi: Planning, Implementation, and Security

Also available - vSphere Quick Start Guide

0 Kudos
Cannoli
Contributor
Contributor
‎05-24-2011 06:00 PM

Short of limiting the role of the root account, I read somewhere you can use the pam modules to restrict which IP addresses root can login from.

As I'm going by memory (home for the day), please forgive me. I recall seeing a file in /etc/security that had a list of the local user accounts with a format of something like this:

+:root:ALL

What is this for and can it be used to limit how root can login?

0 Kudos