In doing some research about ESXi Lockdown Mode -- since the Security folks like the sound of it -- I've located a lot of bad information. I'm curious if anyone from VMware would care to chime in and clarify since the manuals I've seen don't really tell me anything except how to enable it.
First of all, what is VMware's goal for Lockdown Mode?
From the ESXi Installable and vCenter Server Setup Guide, page 36:
"Lockdown mode prevents remote personnel from logging in to the ESXi host by using the root login name."
Great, so that means that nobody can get into the box remotely as root. This is a good security practice since that god-level account is generic and we like auditability. If we're managing everything with vCenter, and don't create any other local accounts on the ESXi host, we should be golden -- no little roots running around and messing with the configs outside of the purview of vCenter.
What happens when I've got some weird problems with vCenter and need to login directly to the host? One obvious solution is that I can hit the host's 'real' console (Physical Monitor, KVM, DRAC, iLO, etc.), login as root there, disable Lockdown Mode, and then login to the host using the vSphere Client. Of course, that violates my "no root logins" policy and upsets the security folks.
So, what permissions do I need to give to a (non-root) local user to enable that user to login with the vSphere client while Lockdown mode is enabled?
If I cannot login remotely using the root login name, it can be implied from the above quote that I can login remotely using a different name, right? Time for another quote from the same section:
"If you enable lockdown mode and do not configure other local host user accounts to have standalone host access through the vSphere Client,
the root user does not have access through the vSphere API and CLI."
Hmmm... so, what if I enable lockdown mode and DO configure other local host user accounts? Aside from the logic nightmare implied by that sentence, I am not so crazy.
Unfortunately, each of my attempts there have been unsuccessful -- making the local user a member of the 'localadmins' group allows my new user to login to the actual yellow-and-black console screen, but I still cannot use the vSphere Client while Lockdown Mode is enabled -- without following the same procedure as the root user would (login wia the console, disable Lockdown, login w/ client). That, at least, enables me to do what I need without sharing the actual root password, so it is a little better.
The last quote can be interpreted as vague at best:
"When lockdown mode is enabled, you can create a user with administrator privileges to connect to a standalone host."
Technically, with Lockdown Mode enabled, I can't do anything, since I can't get into the box with the vSphere Client. However, assuming that the intent of this sentence was that I can create another local account to handle "root-type stuff", What permissions does that user need to be granted?
If the goal of lockdown mode is to prevent direct remote connections to the ESXi host using the vCLI/PowerCLI/vSphere Client, it seems to work great. Unfortunately, the documentation does not lead me to believe that, and I would prefer to disable remote root access yet maintain the ability to remotely administer my hosts via the various remote interfaces.