VMware Cloud Community
esxi1979
Expert
Expert
‎08-06-2015 02:22 PM

Hardening esxi login

1. esxi 5.5 does not support sudoer 

===
 2. local user groups and associated group specific methods are not supported from vSphere 5.1 or later.


I did looked at :-

Need powercli script to create a new local admin account on all ESX and ESXi hosts in the vcenter


Also looked at note from LucD


I did some further reading in the documentation and I found this under the AssignUserToGroup method:

"Deprecated. As of vSphere API 5.1, local user groups are not supported   and group specific methods will throw NotSupported."

So it looks like PowerCLI is correct and what you are seeing is a new feature of vSphere 5.1

===

With above two thing, i think only way is create customer role in vcenter & assign AD account to that role.

But then local ssh to individual host still remains a question.

I tried only admin role (which you can not edit on local host) user gets ssh

Anything i am missing here ?

0 Kudos
5 Replies
Craig_Baltzer
Expert
Expert
‎08-06-2015 02:59 PM

There are no local groups on an ESXi 5.x/6.x host, the only "local" thing you can create is a user. If you're doing local user creation via PowerCLI then groups don't buy you anything (i.e. just have PowerCLI assign each user the desired role)

We create custom roles on ESXi servers via PowerCLI, use AD groups to grant users access via those roles. 

What do you want the customer login to be able to do on ESXi?

0 Kudos
esxi1979
Expert
Expert
‎08-06-2015 03:15 PM

pastedImage_0.png

0 Kudos
esxi1979
Expert
Expert
‎08-06-2015 03:15 PM

it does not allow me to add custom role locally .. am i missing something ?

0 Kudos
Craig_Baltzer
Expert
Expert
‎08-06-2015 06:07 PM

You're missing something Smiley Happy. You can't just "make up" a permission set when assigning permissions, you need to define a role first.

  1. Use the VI Client and connect directly to the ESXi host (NOT vCenter)
  2. Click on Home. You should get to something that looks like this
  3. pastedImage_2.png
  4. Click on Roles
  5. Click Add Role
  6. Create the new role with the desired permissions
  7. pastedImage_4.png
  8. Save the role, then go back to Permissions and use the role
  9. pastedImage_6.png


0 Kudos
Craig_Baltzer
Expert
Expert
‎08-06-2015 06:12 PM

Forgot to mention that you can do all of this with PowerCLI as well

  • New-VIRole along with Get-VIPrivilege to create the role
  • New-VIPermission to assign the permission to a user/AD user/AD group and ESXi entity

The names to pass to Get-VIPrivilege aren't always the most obvious so I often set the privs in the GUI, then use PowerCLI to dump out the privs that I've set

0 Kudos