VMware vSphere

 View Only

  • 1.  Enable ssh login for non-root user.

    Posted Jul 21, 2012 01:31 PM

    HI, All

    We want to disable root user for remote loging and add a new user for ssh login to my ESXi5. I did as follows.

    Firstly, Enable ssh logi via technical mode option of ESXi5 service console. Because PermitRootLogin under /etc/ssh/sshd_config is no, we think the default setting for root user ssh login is disabled.

    Secondly, we connect the ESXi5 box from VI client, Select USer and group -> add a new user -> Set username, password, then check the box of grant shell access for the user.

    Finally, we tried to remote ssh login into the ESXi5 Host via TeraTerm, but I failed to do it withou knowing the root cause. I fixed the problem by the follwowing workaround.

    set PermitRootlogin Yes then restart ssh service.

    set the new user group to root from VI client.

    Then, I can login into the ESXi5 box via new user, but it is not desired way for me because I enabled root previlige for the new user.

    I wonder if there is a way for adding a new user to remotely login into ESXi5 without enabling root prevlilge.



  • 2.  RE: Enable ssh login for non-root user.

    Broadcom Employee
    Posted Jul 21, 2012 01:49 PM

    Yes there is a better way and this is something I hit awhile back and it has to do with what's defined in /etc/security/access.conf which controls which logins would be allowed. In previous releases, this allowed a certain set of users and you can take a look by "catting" the file and then it blocks the rest with syntax "-:ALL:ALL". To enable a particular user, you just need to add them to this list such as "+william:ALL". If you disable Root from logging in via sshd_config and update this file, then you'll be able to grant others to SSH without allowing root unless from the console.

    Now a word of warning, in the past, /etc/security/access.conf was auto re-generated which causes issues with changes to this file and what I did in past was create a cron job to update it every minute (not very ideal). I'm not sure if this has been fixed in the latest release but I'll do some testing, but this method will give you what you want.

    Also want to note that, a user without any root privilege will not be able to do a whole lot. So you still may need to give the user root credentials, at least if you're having them login to ESXi Shell, via the API it's different but for most commands you'll need to have "root" privileges to do anything useful.

    UPDATE: Looks like if you add "Administrator" permission via the vSphere Client or CLI, the /etc/security/access.conf will automatically be updated and you won't have to manually tweak that file.