How to create a root keypair files for dropbear, SSH and PuTTY inside an ESXi Server

How to create a root keypair files for dropbear, SSH and PuTTY inside an ESXi Server

First of all I discovered that the minimum keysize between SSH and dropbear keys are 768 BITS! Keep this

info everytime in your mind. Then creating the root keys is simpler, than creating the SSH-keys for other non-root

users. The later task tends to be tedious but not impossible. I gonna try to explain the simpler way (root SSH-Keys), if

you need advice for creating non-root SSH keys inside an ESXi box, come back to me.

Prerequisites:

  • You must have enabled the SSH server to login into the ESXi box. (Look here in this community forum for detailed explanation)

  • You must have set for security reasons a root password anyway

  • Do not enable lockdown mode, otherwise you can only login via the DCUI.

  • If you need more security restrictions you can put at the end of the ssh row a -g allowing root only to login using the identity file, not interactive anymore!

Security advice:

Keep your keys expecially the private one secure by placing it inside encrypted filesystems or limit the usage by chmod 600 for user root.

Steps:

  1. login as root into a fresh booted ESXi box.

  2. create an hidden directory called /.ssh with mkdir /.ssh

  3. create the RSA dropbear key by executing /bin/dropbearkey -t rsa -f id_rsa -s 768 > id_rsa.pub

  4. create the DSA dropbear key by executing /bin/dropbearkey -t dss -f id_dsa -s 1024 > id_dsa.pub

  5. open the /.ssh/id_rsa.pub and /.ssh/id_dsa.pub file and delete the first and last line with your favorite editor.
    NOTE: Do not change anything else, only one line beginning with ssh-rsa or ssh-dss must exist.

  6. make a copy of your RSA private dropbear key by executing cp id_rsa id_rsa.db

  7. make a copy of your DSA private dropbear key by executing cp id_dsa id_dsa.db

  8. now convert the RSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_rsa id_rsa.ssh.

  9. now convert the DSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_dsa id_dsa.ssh.
    NOTE: This are your private SSH-Keys the public key remains the same.In other Linux/Windows Environment copy
    *id_rsa.ssh to id_rsa and id_dsa.ssh to id_dsa and you can use the same RSA/DSA keys everywhere:-)# *

  10. Copy the RSA public key to authorized_keys with cat id_rsa.pub > authorized_keys

  11. Append the DSA public key to authorized_keys with cat id_dsa.pub >> authorized_keys
    NOTE: Please check that ALL private keys MUST have chmod 600 otherwise every SSH server refuse to use it, because other chmod are INSECURE!

  12. If you plan to use PuTTY as I do always, copy the id_rsa.pub and id_rsa.ssh to a PuTTY environment, rename id_rsa.ssh to Id_rsa and use puttygen to create an id_rsa.ppk (Putty Private Key) file

  13. You can also copy the the id_dsa.pub and id_dsa.ssh to the same place and create an id_dsa.ppk file

  14. Copy the newly created id_rsa.ppk and id_dsa.ppk key to your ESXi box under /.ssh
    in case you need it elsewhere and forgot how to build it again

  15. Now put all the /.ssh stuff inside the oem.tgz

  16. Reboot and get the message file out of an ESXi box trying from another place scp -i id_rsa root@<esxi-ip>:/var/log/messages .
    NOTE: If everything went fine you will never be asked to provide the root password and can now execute batch commands via cron

If you now ask what is the difference between a RSA and a DSA Key and which is better to use. Here the answer:

Its been accepted knowledge for several years now that in relation to performance only,DSA is faster for Key Generation and Signing and RSA is faster for Verification.

So use RSA for copy, because verification is faster and DSA for SSL web server application, because creating and signing is faster.

Comments

where should I start... lets see, how about security...

"Security advice:

Keep your keys expecially the private one secure by placing it inside encrypted filesystems or limit the usage by chmod 600 for user root."

- and yet you COPY the root@ESXhost users key to a windows system? every user@host should generate their own key-pair and you ONLY copy the pub part to the ESX .ssh/authorized_keys file. The server shoud not ever have your client's private part of the key! Having multiple copies of the private part is just plain wrong and against your warning..."do as I say not as I do" or what?

- Putty has its own keygen, use it.

- RE: DSA vs RSA - it's less about speed since on any 1Ghz+ system either is done in a blink and more about security, but even that seems to be right along the lines vi vs emacs.

steps 15 and 16 are good info though.

Has somebody a instruction for ESXi4.0?

15. Now put all the /.ssh stuff inside the oem.tgz

does someone have detailed steps how to put the stuff inside?

I tried this:

mkdir /tmp/oem/

tar xzf /bootbank/oem.tgz -C /tmp/oem/

cp -r /.ssh/ /tmp/oem/

cd /tmp/oem

tar czf /bootbank/oem.tgz *

But my tar doesn't include the hidden .ssh directory.

with "." instead of "*" my paths in the oem.tgz are different: "./usr/..." instead of just "usr/..."

thanks

jurgen

Hi js-hacki,

just execute tar -cvzf /bootbank/oem.tgz * .ssh

and enjoy the freedom to login without password Smiley Happy

bye

gio

Hi gio

thx for your fast response.

I was afraid of overwriting the existing oem.tgz.

there are many files inside the package and with your command

they're all deleted. Aren't these files important?

byd

Hi juergen,

please do not erase the content of oem.tgz just append the .ssh directory into it.

executing the tar command in my example you will append the content of .ssh.

Regards

Gio

Hi.

Within ESXi 4 SSH shell the tar command seems not to know the append option.

Here how it worked for me:

cd /

mkdir test

cp -r .ssh /test

cp /bootbank/oem.tgz /test

cd test

tar -xzvf oem.tgz

rm oem.tgz

tar -czvf oem.tgz '.ssh' 'etc' 'lib' 'sbin' 'usr' 'var' pkgdb.tgz

mv oem.tgz /bootbank

cd ..

rm -r test

It might be that your oem.tgz contains other files/folders. Then you have to adjust the tar creation command to your needs.

Regards

continue2

Why mess with oem.tgz?  All you need to do is add a new tgz file to /bootbank such as:

vi /bootbank/boot.cfg
Add '--- root_ssh.tgz' to end of the modules= line

Create the tgz file:

tar -C / -czf "/bootbank/root_ssh.tgz" /.ssh

Version history
Revision #:
1 of 1
Last update:
‎11-24-2008 09:47 PM
Updated by: