Hi lamw

Thanks for your answer and help.:D I got the same answer form a doc FAQ I found on the net, and it worked.

"It's recommended you use a non-root account and sudo in, this allows a way of tracking users and changes that might occur on a system. " - So do you create a non-root account for each user that needs to login, then they use their own non-root account and sudo in? Make sense.

On all of our hosts we keep it set to not let root login directly to the service console.

We created seperate named accounts for any user who needs access and for those who require root will su - to switch to root after logging in with their account.

Using sudo is another step you could do as was suggested.

Hello,

You can also integrate with a directory service. Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for assistance on three methods, AD w/Winbind, AD w/Secure LDAP, and NIS.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Thanks All

To learn more about ESX security lockdown and configurations, your first step is download free tool from Tripwire CheckConfig and download 50+ pages of solutions details how to implemented. Its very good for basic start up security practices. For more advance solution, should look at DoD Security Readiness Reviews guide and script to hardening your environment.

1. Disable all root login from ssh remotely and if possible disable root from login from physical console as well.

2. Integrated AD authentication as mentioned with "esxcfg-auth --enablead --addomain=test.domain.com --addc=dc01.domain.com" command and than create your AD user account to access using "useradd adusername" than use that account with your AD password should work fine.

3. Use "visudo" to edit the sudoers part with "adusername ALL= (ALL) ALL section same as root

Download guide from xtravirt.com how to use Sudo nice doc as well.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

thanks for the helpful

Hello,

In general you do not want to allow your admins 'ALL= (ALL)' in /etc/sudoers. THere are several reasons.

SUDO creates an audit log and there are several commands that will bypass the audit log. Specifically you will want to deny access to any and all shells, editors, and login commands such as su.

Editting of a file can be done using SUDO but it is recommended that instead you copy the file to be edited make the changes and use something like SCCS, CVS, SVN, GIT, etc to put in place some form of change control. Then update the file in the proper location. This gives you the best audit trail.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization