Hi all,
I have a question on using SSH keys to authenticate with ESXi. I've done the necessary to allow my ssh client to connect to a host without having to enter a username a password.
I've read that when using keys, you can SSH to a host even when lockdown mode is enabled on the host, however this doesn't work in my lab. I get a host refused connection error. However, when lockdown mode is disabled, it works fine.
Has anyone else seen this behaviour? should SSH work when using key authentication, when the host has lockdown mode enabled?
thanks in advance!
Yes, you should be able to log in using key authentication even when lockdown is enabled, reference
So why it doesn't work for you ... That is the question...
Doing a debug of the SSH session - Before I enable lockdown mode it looks like this, as it successfully establishes a session:
debug1: Server accepts key: pkalg ssh-dss blen 435
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
The time and date of this login have been sent to the system logs.
But, with lockdown mode enabled, it gets to this stage before the host closes the connection:
debug1: Server accepts key: pkalg ssh-dss blen 435
debug1: read PEM private key done: type DSA
Connection closed by 192.168.0.2
Hmmm, what procedure did you follow? Are you using the root user or an alternate user?
I'm attempting to make the connection using 'ssh -l root 192.168.0.2'
I've also tried it from a windows VM, using putty, which results in the same behavior - It works fine until lockdown mode is enabled.
Did you change anything in the sshd_config file by any chance?
No, haven't touched the config file. Should say this is esxi 5.1 btw.
Sorry, was away ... The only thing I can think of now is maybe permission errors on the keys, but then it should also fail when not in lockdown mode, did you run ssh -vvv root@192..., anything in your logs (local station)?