With the release of ESXi 5.0 VMware permanently did away with one of the core components of its flagship product: the service console. Owing to its roots in Linux the original versions of ESX were in fact modified versions of Red Hat Enterprise Linux and had all the trimmings of a full Linux host. Of course modifying anything in there was done at your own peril but for the most part you could treat it just like a Linux box when there was a challenge you needed to overcome. However the Service Console was also the most patched aspect of ESX and thus moving away from it meant a more secure hypervisor, at the cost of removing some flexibility.
Of course some of the functionality remains but its far from what it used to be. Instead of being a fully fledged Linux box under the hood it’s now a custom BusyBox implementation giving you a somewhat familiar environment but with all the cruft reduced to a minimum. When ESXi was first introduced I was quite sceptical as I spent a good deal of my time in the Service Console when troubleshooting virtual environments but since I’ve spent the last 6 months developing an ESXi 5.0 standard operating environment I’ve grown to appreciate the simplicity, mostly because the tools to manage ESXi outside the service console have matured considerably.
One thing it doesn’t do well however is remote access. Back in the ESX days it was a pretty simple matter of creating a new user and giving them shell access and there was nothing more that needed to be done. Whilst it’s trivial to re-enable SSH you’ll soon find out that whilst you’re able to access it with the built in root account you can’t access it with any other account, even if you’ve granted them shell access (the complete opposite to how it has been in the past). For my SOE this isn’t acceptable and so I’ve been developing a solution to the problem.
Engaging my Goolge-Fu I quickly stumbled across two posts that detailed a process of how to do this on ESXi 4.1. Now many of the problems in 4.1 are shared with 5.0 so I figured that these would probably work for me. Upon testing them however neither of them work meaning that there’s been some changes to the way that ESXi does its SSH authentication in 5.0. Thankfully those posts, coupled with some insight from work mates, pointed me to the right solution.
One of the solutions we found that worked for us was modifying /etc/security/access.conf to have the user in it that you wanted. That ends up looking something like this:
+:dcui:ALL +:root:ALL +:vpxuser:ALL +:vslauser:ALL +:UserToGiveSSHTo:ALL -:ALL:ALL
That works, right up until you reboot. That particular file isn’t blessed with the sticky bit that ESXi puts on certain files so any changes to it are lost upon reboot. Additionally that appears to only work for a single user which would make adding additional users something of a bother. As it turns out both these problems are rather easily solved.
The access.conf file also works with groups, although this isn’t documented anywhere. So for the example file above if you just use a group name instead of a single user name all users contained in that group will get shell access, so long as the user was granted that when it was created. To get around the rebooting problem you can edit the rc.local file (which does have the sticky bit on it) which is a script file that runs after ESXi is done loading, allowing you to run scripts at start up. All that you need to do then is sed in the permission line for the group/user you want to enable access for. An example rc.local file is below:
#!/bin/sh export PATH=/sbin:/bin log() { echo "${1}" /bin/busybox logger init "${1}" } # execute all service retgistered in ${rcdir} ($1 or /etc/rc.local.d) if [ -d "${1:-/etc/rc.local.d}" ] ; then for filename in $(find "${1:-/etc/rc.local.d}" | /bin/busybox sort) ; do if [ -f "${filename}" ] && [ -x "${filename}" ]; then log "running ${filename}" "${filename}" fi done fi sleep 4 sed -i '$ i\+:GroupOrUserThatNeedsAccess:ALL' /etc/security/access.conf
I’ve tested this and it works on one of my freshly minted ESXi 5.0 boxes.
One of our concerns with this was the potential security implications of enabling SSH in this way. ESXi uses PAM for authentication and what the above modifications to access.conf does is tell PAM to authorize that account for any check that invokes it, including SSH authentication. Now that sounds bad since it seems like that would be akin to granting those users administrator rights (indeed that is the supported way of giving users SSH access to ESXi hosts) but ESXi only uses PAM for authentication, not authorization. This means that whilst they’ve got wide open access when it comes to PAM ESXi uses its own in built permissions to control user access. So this means you can have restricted accounts that are allowed to login via SSH and then su to root if they need more permissions, which is still supported in BusyBox.
So this is probably as close as you’ll ever get to having the same level of control that you have in your current ESX environments when you make the switch to ESXi. Personally I think it’s pretty elegant and its very maintainable unlike many of the other solutions I tried before reaching this one. If you have any questions or comments feel free to hit me up in the comments, on twitter or send me an email.
Thanks for this article.
I had trouble getting it to work at first. I found that the /etc/security/access.conf was getting modified a few seconds after the sed line in rc.local, so I guess it was getting replaced.
I put a ‘sleep 4’ before the sed line in rc.local and it worked as expected after that.
Ah that explains why a few of our servers came up without the modifications. It wasn’t consistent but I suspected that it was overwritten. Manually adding the line in seemed to fix the issue though so I didn’t bother pursuing it any further.
Thanks for the tip though, I’ll add that in to the post 🙂
Excellent post, works first time.
Thanks
RW
Great to hear that it worked for you RW, thanks! 😀
You now need to use /etc/rc.local.d/local.sh to store the changes.
For ESXi 5.1+.
Hello! When I made such configuration, user logins with root privelegies! Even, user is not in admin group. I do the following steps:
/usr/lib/vmware/auth/bin/adduser testuser
echo “+:testuser:ALL” >> /etc/security/access.conf
Then, when I login with ssh, I am superuser 🙁
Thks!
Hey Ruslan. I think that might be due to the way the access.conf file processes the security permissions as when you echo’ed in the testuser it will be after the -:ALL:ALL line. From memory when I did this I had the exact same issue which is why I use sed in the rc.local file rather than echo. It’s been a while since I actually used this on an ESX server though so if you give that a go and still get the same issue let me know!
Thank you! Actualy it did not helped me 🙂 I will write here, when I get the solution.
No worries Ruslan, let me know how it goes!