Hi All
I installed ESX Server successfully on a blade. After the installation I want to login directly into the esx server using my root username and password. It tells me that the password is incorrect.
I've heard something about that you must first create a different user,, login as this user then switch to different user, only then I can login as root.
Is this true, or is there a way to bypass this to directly login with root?
The other esx servers we use we can login as root without using a different user first.(I didn't set it up, I only took them over from someone else)
By default direct root access over SSH is disabled. You either created a non-root account and either use sudo or su to root OR you enable root login via SSH.
Edit /etc/ssh/sshd_config and setting ‘PermitRootLogin’ option to ‘yes’ and restart the SSHD (service sshd restart)
You can also login directly from the console or through DRAC/iLO if you have that. It's recommended you use a non-root account and sudo in, this allows a way of tracking users and changes that might occur on a system.
By default direct root access over SSH is disabled. You either created a non-root account and either use sudo or su to root OR you enable root login via SSH.
Edit /etc/ssh/sshd_config and setting ‘PermitRootLogin’ option to ‘yes’ and restart the SSHD (service sshd restart)
You can also login directly from the console or through DRAC/iLO if you have that. It's recommended you use a non-root account and sudo in, this allows a way of tracking users and changes that might occur on a system.
Hi lamw
Thanks for your answer and help.:D I got the same answer form a doc FAQ I found on the net, and it worked.
"It's recommended you use a non-root account and sudo in, this allows a way of tracking users and changes that might occur on a system. " - So do you create a non-root account for each user that needs to login, then they use their own non-root account and sudo in? Make sense.
On all of our hosts we keep it set to not let root login directly to the service console.
We created seperate named accounts for any user who needs access and for those who require root will su - to switch to root after logging in with their account.
Using sudo is another step you could do as was suggested.
Hello,
You can also integrate with a directory service. Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for assistance on three methods, AD w/Winbind, AD w/Secure LDAP, and NIS.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Thanks All
To learn more about ESX security lockdown and configurations, your first step is download free tool from Tripwire CheckConfig and download 50+ pages of solutions details how to implemented. Its very good for basic start up security practices. For more advance solution, should look at DoD Security Readiness Reviews guide and script to hardening your environment.
1. Disable all root login from ssh remotely and if possible disable root from login from physical console as well.
2. Integrated AD authentication as mentioned with "esxcfg-auth --enablead --addomain=test.domain.com --addc=dc01.domain.com" command and than create your AD user account to access using "useradd adusername" than use that account with your AD password should work fine.
3. Use "visudo" to edit the sudoers part with "adusername ALL= (ALL) ALL section same as root
Download guide from xtravirt.com how to use Sudo nice doc as well.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
thanks for the helpful
Hello,
In general you do not want to allow your admins 'ALL= (ALL)' in /etc/sudoers. THere are several reasons.
SUDO creates an audit log and there are several commands that will bypass the audit log. Specifically you will want to deny access to any and all shells, editors, and login commands such as su.
Editting of a file can be done using SUDO but it is recommended that instead you copy the file to be edited make the changes and use something like SCCS, CVS, SVN, GIT, etc to put in place some form of change control. Then update the file in the proper location. This gives you the best audit trail.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization