Setting up SSH Public Key Authentication

ESXI 5: Setting up SSH Public Key Authentication
Leave a reply    

This tutorial describes the process on how you can connect via SSH to your ESXI 5.0 host using public key authentication. I have tried to explain as much as possible, since there (or at least I couldn’t find any) decent tutorials on the internet covering this subject on ESXI 5.0.

Firstly we will create our private and public keys on the remote host (the host we are connecting to ESXI on):

    
ssh-keygen -t rsa

The keys by default are stored as follows:

    
~/.ssh/rd_rsa
~/.ssh/rd_rsa.pub

We set the permissions:

    
chmod 600 ~/.ssh/rd_rsa
chmod 600 ~/.ssh/rd_rsa.pub

We will now copy the public key to the remote host:

    
scp ~/.ssh/rd_rsa.pub root@remotehost:/root

And then on the remote hosts we do:

    
cat /root/rd_rsa.pub > /etc/ssh/keys-root/authorized_keys
chmod 600 /etc/ssh/keys-root/authorized_keys

The above is very important, other tutorial do not explain this at all! There is a directive in /etc/ssh/sshd_config called “AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys” This specifies where a users “authorized_keys” will be looked up on the esxi host. In this tutorial we will be connecting from a remote host to the ESXI host as the user root; hence we replace %u with root – so it becomes “keys-root”.

Important!: Make sure that the ~/.ssh folders on both hosts are chmod to 700 e.g.:

    
chmod 700 ~/.ssh

In order to disable password logins to the SSH server you should change the following in :

    
vi /etc/ssh/sshd_config

and change according to below:

    
PermitRootLogin yes
ChallengeResponseAuthentication no # This entry might not be present! Don't add it if it isn't present.
PasswordAuthentication no

and finally restart SSH service:

    
/etc/init.d/SSH restart

You can now connect to ESXI 5 using SSH public key authentication by running the following:

    
ssh -i ~/.ssh/rd_rsa root@esxi-host

If you run into any problems, just use the -v switch in SSH e.g.:

    
ssh -v -i ~/.ssh/rd_rsa root@esxi-host
This entry was posted in Linux and tagged dropbear, esxi 5, public key, ssh on May 11, 2012.

补充：

禁止root登陆SSH，使用普通用户登陆，这样更安全，具体做法是：

a.添加用户：使用VMWare VSphere Client的“本地用户和组”（如果是使用域的，在“权限”中添加用户u）添加用户u，并“授权该用户shell程序访问权限”，组成员资格设定为“users”。

b.ssh登陆到esxi主机，然后

mkdir /etc/ssh/u

cat /root/rd_rsa.pub > /etc/ssh/keys-root/authorized_keys
chmod 600 /etc/ssh/keys-root/authorized_keys

chown u /etc/ssh/keys-root/authorized_keys

注意：要把所有者改为u，否则不能正常ssh登陆

c.修改/etc/ssh/sshd_config，不允许root身份登陆
    
PermitRootLogin no

d.重启动SSH服务
    
/etc/init.d/SSH restart

重启动esxi主机，悲剧了，root和用户u都不能登陆ssh了，只好通过esxi shell访问并调整了。

应该把authorized_keys文件放在/vmfs/volumes/datastore1/u/下，并把sshd_config中的文件指向新的位置：

AuthorizedKeysFile /vmfs/volumes/datastore1/u/authorized_keys

其他配置同上面；这样就能保证重启esxi主机后，authorized_keys文件仍然可用，不消失。