Automation

 View Only
  • 1.  Disable weak ciphers on ESXi using PowerCLI

    Posted Apr 24, 2019 03:34 PM

    Hi All,

    Is there a way to disable the weak ciphers on ESXi using PowerCLI ?

    I see that manually, we can edit the sshd_config file to remove the ciphers from the cipher list. However, if we have to automate the process , is there a way in PowerCLI to do this ?

    I tried this : https://www.shogan.co.uk/vmware/using-plink-to-modify-esxi-host-configuration-files-via-ssh-from-a-powercli-script/

    ==========================

    $Server = Read-Host -Prompt 'Input your server IP/FQDN'

    $User = Read-Host -Prompt 'Input the user name'

    $Password = Read-Host -Prompt 'Input password'

    $vmhostName = Read-Host -Prompt 'Input ESXi name'

    #Connect to server

    Connect-VIServer -Server $Server -User $User -Password $Password

    #getting host object

    $esxhost = Get-VMHost -Name $vmhostName

    #check status of SSH servcie, start if it is not running

    $sshService = Get-VmHostService -VMHost $esxhost | Where { $_.Key -eq “TSM-SSH”}

    if(!$sshService.Running.Equals("True"))

    {

    Write-Host "Starting the SSH service"

    Start-VMHostService -HostService $sshService -Confirm:$false

    }

    cmd /c "C:\Stuff\plink.exe -ssh -pw VMware123! -noagent -m C:\Stuff\commands.txt root@esxi-1.gsslabs.org > C:\Stuff\output.txt 2> C:\Stuff\error.txt"

    ====================

    However this doesn't seem to work. Any suggestions are appreciated.



  • 2.  RE: Disable weak ciphers on ESXi using PowerCLI

    Posted Apr 24, 2019 04:58 PM

    When you use the Posh-SSH module, it becomes a lot easier.

    See also Use Posh-SSH instead of PuTTY

    The script then becomes

    Note that the script runs auto-backup.sh after the file is changed , otherwise the changes will not survive a reboot.

    $esxName = 'MyEsx'

    $cmdSub1 = @'

    cat /etc/vmware/config

    '@

    $cmdSub2 = @'

    cat > /etc/vmware/config << EOF

    $($newContent -join "`n")

    EOF

    /sbin/auto-backup.sh

    '@


    $newLines = 'vmx.fullpath = "/bin/vmx"', 'isolation.tools.copy.disable="FALSE"', 'isolation.tools.paste.disable="FALSE"'


    $cred = Get-Credential -Message "Credentails for $esxName"


    $esx = Get-VMHost -Name $esxName

    $state = Get-VMHostService -VMHost $esx | where { $_.Key -eq 'TSM-SSH' }

    if (-not $state.Running)

    {

       Start-VMHostService -HostService $state -Confirm:$false | Out-Null

    }


    $session = New-SSHSession -ComputerName $esx.Name -Credential $cred –AcceptKey -Force

    $result1 = Invoke-SSHCommand -SSHSession $session -Command $cmdSub1

    $newContent = $result1.Output | where { $_ -notmatch "isolation.tools.copy.disable|isolation.tools.paste.disable|vmx.fullpath" }

    $newContent = $newContent + $newLines

    $cmdSub2 = $ExecutionContext.InvokeCommand.ExpandString($cmdSub2)


    $result2 = Invoke-SSHCommand -SSHSession $session -Command $cmdSub2

    Remove-SSHSession -SSHSession $session | Out-Null


    if (-not $state.Running)

    {

       Stop-VMHostService -HostService $state -Confirm:$false | Out-Null

    }