That is what I was thinking as well, especially because the AD user is given admin rights on the host. I have tried it on another host and the ad user is working but that is with the permit root set to yes.

Hey Troy, Yes those are the steps that I performed to turn off root login through ssh but I am now trying to use the AD user that i setup with admin rghts on the host to be able to ssh into the host but it is denying me.

my bad... Didn't read the post correctly.

As Weinstein said, disabling root access should have no affect on other users. You should be able to connect as any user and then su to root

You can lockdown your ssh in different ways such as disable root ssh login and physical console root login as well. You can use sudo to do all the admin tasks and monitor users/commands being used. You can view xtravirt.com guide how to do sudo and I've attached a good Tripwire CheckConfig lockdown procedures you can almost benefit from it. It included steps how to lockdown your root ssh login.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Hello,

Moved to the Security and Compliance forum.

Setting PermitRootLogin to no in /etc/sshd/sshd_config is the first step and pretty much the only real step necessary, however there are at least 5-6 OTHER changes that can be made to aid in securing your system as defined by the CISecurity Linux Benchmark.

AD authentication enabling is unrelated to SSHD and depending on how you enabled AD authentication you may also need to add pam_access.so into your mix. CHeck out http://www.astroarch.com/wiki/index.php/Full_Integration_of_Active_Directory for more information on setting up PAM Access.

If you really want to lock down the Service Console you will want to look at the CISecurity ESX Benchmark or the DISA STIG mentioned within this forum.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

When you created these accounts in VI client did you grant them shell access?

Have they got the same UID 0 as root? (If they have then they will not be allowed to login when root is blocked)

Did you setup PAM currectly?

I did the following from the service console:

#useradd -c 'Domain Administrator' <admin user> ....where <admin user> is the name without the domain prefix

#esxcfg-auth --enablead --addomain=my.domain.com --addc=dc.my.domain.com --enablekrb5 --krb5realm=my.domain.com --krb5kdc=dc.my.domain.com --krb5adminserver=dc.my.domain.com

This allows ad user login so that they can be tracked, this will keep the powers from above happy. Then just #su - to get root privileges.

Hello,

Also, do not add every users to 'Domain Administrators' as one user 'root' for example should not be part of AD just in case AD is dead, etc. Granted this depends on your level of AD integration. Those with UID 0 in full integration would require a bit of changes to allow. So we generally recommend that you never set any user to any id < 500. This way the appropriate protections are in place.

We always recommend using 'sudo' over 'su' as sudo logs all commands issued to a logfile that you can store remotely. This way admins leave an audit trail that is very useful when you do get audited.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

I've attached a good Tripwire CheckConfig lockdown procedures you can almost benefit from it. If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

I wish I could give you some points. I've been looking for that Tripwire pdf for days. Should have known you had a copy.

Jason

That is exactelly the reason as you see from my steps below i am adding the user as 0 which would be blocked. So now if I follow your directions as to adding the user as a domain administrator then would I still login though the vi client and add that user as an administrator?

Enabling Active Directory Integration

• 1- Run the following commands from the SC

esxcfg-auth --enablead --addomain=my.domain.com --addc=server.my.domain.com

2- Now it is time to add the AD users that will have root access so for me it is username. it is done with this syntax

*useradd -o -u 0 username*now add other admins at this point 3 login to the server you are building through Virtual Center as root

4 Click on the permissions tab at the top right

5 right clink to add permissions and then add the users that you created and give them administrator privs

Hello,

That is exactelly the reason as you see from my steps below i am adding the user as 0 which would be blocked. So now if I follow your directions as to adding the user as a domain administrator then would I still login though the vi client and add that user as an administrator?

While doable, multiple root accounts even if they are under different names are not recommended. Mainly if they get console access, they can still login.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

ok excellent so I have it working now. I connected to our AD and added a user using teh following syntax \

useradd -o -u 550 username

and i can now connect to the host and su - in as root (I will work on getting SUDO to work). Now there is one issue I am having. I now can't use winscp is there a work arround that you know of?

Hey Edward I actually figured it out and used Fastscp. Thanks to you and everyone that helped on this.