First of all I discovered that the minimum keysize between SSH and dropbear keys are 768 BITS! Keep this
info everytime in your mind. Then creating the root keys is simpler, than creating the SSH-keys for other non-root
users. The later task tends to be tedious but not impossible. I gonna try to explain the simpler way (root SSH-Keys), if
you need advice for creating non-root SSH keys inside an ESXi box, come back to me.
Prerequisites:
You must have enabled the SSH server to login into the ESXi box. (Look here in this community forum for detailed explanation)
You must have set for security reasons a root password anyway
Do not enable lockdown mode, otherwise you can only login via the DCUI.
If you need more security restrictions you can put at the end of the ssh row a -g allowing root only to login using the identity file, not interactive anymore!
Security advice:
Keep your keys expecially the private one secure by placing it inside encrypted filesystems or limit the usage by chmod 600 for user root.
Steps:
login as root into a fresh booted ESXi box.
create an hidden directory called /.ssh with mkdir /.ssh
create the RSA dropbear key by executing /bin/dropbearkey -t rsa -f id_rsa -s 768 > id_rsa.pub
create the DSA dropbear key by executing /bin/dropbearkey -t dss -f id_dsa -s 1024 > id_dsa.pub
open the /.ssh/id_rsa.pub and /.ssh/id_dsa.pub file and delete the first and last line with your favorite editor.
NOTE: Do not change anything else, only one line beginning with ssh-rsa or ssh-dss must exist.
make a copy of your RSA private dropbear key by executing cp id_rsa id_rsa.db
make a copy of your DSA private dropbear key by executing cp id_dsa id_dsa.db
now convert the RSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_rsa id_rsa.ssh.
now convert the DSA dropbearkey to SSH format by executing /bin/dropbearconvert dropbear openssh id_dsa id_dsa.ssh.
NOTE: This are your private SSH-Keys the public key remains the same.In other Linux/Windows Environment copy
*id_rsa.ssh to id_rsa and id_dsa.ssh to id_dsa and you can use the same RSA/DSA keys everywhere:-)# *
Copy the RSA public key to authorized_keys with cat id_rsa.pub > authorized_keys
Append the DSA public key to authorized_keys with cat id_dsa.pub >> authorized_keys
NOTE: Please check that ALL private keys MUST have chmod 600 otherwise every SSH server refuse to use it, because other chmod are INSECURE!
If you plan to use PuTTY as I do always, copy the id_rsa.pub and id_rsa.ssh to a PuTTY environment, rename id_rsa.ssh to Id_rsa and use puttygen to create an id_rsa.ppk (Putty Private Key) file
You can also copy the the id_dsa.pub and id_dsa.ssh to the same place and create an id_dsa.ppk file
Copy the newly created id_rsa.ppk and id_dsa.ppk key to your ESXi box under /.ssh
in case you need it elsewhere and forgot how to build it again
Now put all the /.ssh stuff inside the oem.tgz
Reboot and get the message file out of an ESXi box trying from another place scp -i id_rsa root@<esxi-ip>:/var/log/messages .
NOTE: If everything went fine you will never be asked to provide the root password and can now execute batch commands via cron
If you now ask what is the difference between a RSA and a DSA Key and which is better to use. Here the answer:
Its been accepted knowledge for several years now that in relation to performance only,DSA is faster for Key Generation and Signing and RSA is faster for Verification.
So use RSA for copy, because verification is faster and DSA for SSL web server application, because creating and signing is faster.
where should I start... lets see, how about security...
"Security advice:
Keep your keys expecially the private one secure by placing it inside encrypted filesystems or limit the usage by chmod 600 for user root."
- and yet you COPY the root@ESXhost users key to a windows system? every user@host should generate their own key-pair and you ONLY copy the pub part to the ESX .ssh/authorized_keys file. The server shoud not ever have your client's private part of the key! Having multiple copies of the private part is just plain wrong and against your warning..."do as I say not as I do" or what?
- Putty has its own keygen, use it.
- RE: DSA vs RSA - it's less about speed since on any 1Ghz+ system either is done in a blink and more about security, but even that seems to be right along the lines vi vs emacs.
steps 15 and 16 are good info though.
Has somebody a instruction for ESXi4.0?
15. Now put all the /.ssh stuff inside the oem.tgz
does someone have detailed steps how to put the stuff inside?
I tried this:
mkdir /tmp/oem/
tar xzf /bootbank/oem.tgz -C /tmp/oem/
cp -r /.ssh/ /tmp/oem/
cd /tmp/oem
tar czf /bootbank/oem.tgz *
But my tar doesn't include the hidden .ssh directory.
with "." instead of "*" my paths in the oem.tgz are different: "./usr/..." instead of just "usr/..."
thanks
jurgen
Hi js-hacki,
just execute tar -cvzf /bootbank/oem.tgz * .ssh
and enjoy the freedom to login without password
bye
gio
Hi gio
thx for your fast response.
I was afraid of overwriting the existing oem.tgz.
there are many files inside the package and with your command
they're all deleted. Aren't these files important?
byd
Hi juergen,
please do not erase the content of oem.tgz just append the .ssh directory into it.
executing the tar command in my example you will append the content of .ssh.
Regards
Gio
Hi.
Within ESXi 4 SSH shell the tar command seems not to know the append option.
Here how it worked for me:
cd /
mkdir test
cp -r .ssh /test
cp /bootbank/oem.tgz /test
cd test
tar -xzvf oem.tgz
rm oem.tgz
tar -czvf oem.tgz '.ssh' 'etc' 'lib' 'sbin' 'usr' 'var' pkgdb.tgz
mv oem.tgz /bootbank
cd ..
rm -r test
It might be that your oem.tgz contains other files/folders. Then you have to adjust the tar creation command to your needs.
Regards
continue2
Why mess with oem.tgz? All you need to do is add a new tgz file to /bootbank such as:
vi /bootbank/boot.cfg
Add '--- root_ssh.tgz' to end of the modules= line
Create the tgz file:
tar -C / -czf "/bootbank/root_ssh.tgz" /.ssh