Here is my first blog post this year and my first blog post in English ever! The reason: I asked my friend Google to find out how to disable keyboard-interactive SSH login for my remote VMware ESXi 5.x hosts, and – guess what? – my friend has found a good amount of controversial information! So I experimented the proper method myself and now I share the results with the rest of the world! Consequently I can help to my IT fellows out there and also my short article might make me world famous…
The basic situation: you manage one or more VMware ESXi 5.x (free version) standalone hosts and sometimes you need to use remote console over SSH e.g. to install the security and other patches (you know:
esxcli software vib update -d /vmfs/volumes/datastore1/patches/{patchfile.zip}
)
The well-configured SSH connection is secure, however, there is a port open to the wild, so it is a target for e.g. brute-force (password-guess) attacks. One of our tools to fight against password guess is to use PKI-based authentication AND disable good ol’ username/password login.
The first part is well-documented over the internet, I summarize it just to keep the relevant information together.
1. We need a RSA key pair for SSH
They can be generated on the ESXi host, then the private key needs to be moved away to the client machine which is utilized to manage that host. Or they can also be generated on the management machine, then you need to transfer only the public key to the ESXi host, which is a whole lotta safer.
I used PuTTYGen for this purpose, as I use PuTTY(1) for the connection:
Give a passphrase for the private key: it improves security. Either you may type it in at each login or you may use PageAnt (also part of the PuTTY package) to remember it while your client computer is on.
After pressing the „Generate” button and moving the mouse randomly to create some entropy (why, is not there enough entropy in the Universe?) the program generates the key pair. Save them into a safe place, from where PuTTY can load the private key .PPK file.
2. Store the public key on the ESXi host
Log in with vSphere Client to the ESXi host, go to „Configuration” tab, click on „Security Profile”, then on „Properties…” in the Services part, then start „ESXi Shell” and „SSH” manually.
Now log in with PuTTY to the ESXi host with root privileges and write:
vi /etc/ssh/keys-root/authorized_keys
The file is originally empty. Press i to put vi into insert mode, then paste the public key with a well-performed right mouse click.
Press ESC, then :wq in vi, and the authorized_keys file is saved with your public key.
3. Configure PuTTY to use PKI authentication
Open PuTTY, load your saved session and go to Connection/SSH/Auth. Here click on „Browse” button and select your freshly generated private key .PPK file:
You can also specify the „Auto-login username” in the Connection/Data screen so the user name need not be always typed in.
Then go back to Session and save the modifications:
Pressing „Open” opens the connection and – Voila! (as the educated Germans say) – you are logged in to ESXi host using PKI (after typing in the key passphrase, of course)!
4. Disable good ol’ username/password login
After the previous test has passed successfully, you may think of inhibiting the keyboard-interactive login (of course, if you are an adrenaline-addict, don’t bother yourself with the tests, just go ahead and edit some vital files on your live system!). In order to do that, the /etc/ssh/sshd_config file needs to be edited, despite the fact that there are official materials which forbid the modification of this file:
However, there is at least one Knowledge Base article which regards the modification of this file as normal (and which is also official in a certain extent):
Edit the /etc/ssh/sshd_config file with vi, and insert the following line to the most appropriate place :
ChallengeResponseAuthentication no
Normally „PasswordAuthentication no” is already specified.
My friend Google has found some good advice to switch off the whole PAM (Pluggable Authentication Module) system but there is no reason for that, and what is more: it has some serious side effects. An earlier version of Fedora even gave a warning when usePAM had been switched off:
https://bugzilla.redhat.com/show_bug.cgi?id=770756
openSUSE also contains some warnings and good advice not to set usePAM to no, so leave it on, please. (I know: ESXi is not Linux, but anyway…)
Save the sshd_config file and restart SSH service with
/etc/init.d/SSH restart
Log out and try to log in with keyboard-interactive authentication, e.g. by clearing the „Private key file for authentication:” edit box. The expected result:
This is one of the rare cases when a massive error message is the undoubted evidence of the great success!
This concludes your effort: there is only one way to log in to ESXi console over SSH: using PKI authentication!
The last words after the last words: do not forget to switch off ESXi Shell and SSH in vSphere Client…
The last words after the last words after the last words: the Next Big Thing would be to prevent keyboard-interactive login via vSphere Client, too. One solution is known: put your ESXi host into a Microsoft Windows domain…
Useful external links:
PuTTY package download: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
A nice tutorial on how to create key-based SSH logins with PuTTY (it has only three drawbacks): https://www.howtoforge.com/ssh_key_based_logins_putty
(1) Did you know that The King (Elvis P.) had a song in which he sang „There is a putty in my hand”! Imagine: half a century ago! It is not incidental, that he is The King…
Legutóbbi hozzászólások