Logging into ESXi’s Console and SSH as an Active Directory user

It is possible to login as an AD-user, once ESXi has joined to the domain, and it does use the password stored in AD.

[root@somehost ~]# ssh 10.0.0.115 -l christow@lab.somedomain.com
Password:
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see http://www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ $ id
uid=1409287390(LAB\christow) gid=1409286657(LAB\domain^users)

~ $ cat /etc/security/access.conf
+:dcui:ALL
+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
+:LAB\christow:ALL
-:ALL:ALL

UPN notation doesn’t work. You have to use NetBIOS style user principal names.

Having “+:christow@lab.somedomain.com:ALL” does not work.

You can use the NetBIOS name to log in via SSH. Protect the backslash within double quotes:

[root@somehost ~]# ssh 10.0.0.115 -l “LAB\christow”
Password:
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see http://www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ $ Connection to 10.0.0.115 closed.

Both UPN style names and NetBIOS names work on the Alt-F1 Recovery Console (no quotes and single backslash for NetBIOS name works fine.

To stop the system from replacing /etc/security/access.conf, the vicfg-user command needs to be run from a VIMA system to give “admin” access:

[vi-admin@labvma01 ~][10.0.0.115]$ vicfg-user -e user -o modify -l LAB\\christow -r admin

Advertisements

Backing up the ESXi hypervisor before playing with custom VIBs.

If you copy the /bootbank files to /altbootbank, you can recover these by pressing Shift-R when ESXi boots.

This reverses the symlinks for /altbootbank and /bootbank:

~ # ls -ald /*bootbank*
lrwxrwxrwx    1 root     root                 49 Jun  2 21:13 /altbootbank 
-> /vmfs/volumes/702aea7e-a9164be0-0df5-0cf76d6e11b9
lrwxrwxrwx    1 root     root                 49 Jun  2 21:13 /bootbank 
-> /vmfs/volumes/2be37f76-1609a97d-31db-e8ed56893060
~ # cp /bootbank/* /altbootbank 

Reboot, and press Shift-R. Press Y to confirm. After boot:

~ # ls -ald /*bootbank* lrwxrwxrwx    1 root     root                 49 Jun  2 21:27 /altbootbank 
-> /vmfs/volumes/2be37f76-1609a97d-31db-e8ed56893060
lrwxrwxrwx    1 root     root                 49 Jun  2 21:27 /bootbank 
-> /vmfs/volumes/702aea7e-a9164be0-0df5-0cf76d6e11b9

Adding non root access to ESXi

ESXi, is POSIX-enough that you can add a user to /etc/shadow, /etc/passwd, and /etc/group.

Console Access:

However, in order to allow the user to login directly the /etc/security/access.conf file has to be edited:

/etc/security/access.conf :

+:dcui:ALL
+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
+:foo:ALL
-:ALL:ALL

SSH Access:

If passwords are used, then the previous change needs to be made. Alternatively, SSH-keys can be used.

SSH keys are stored in /etc/ssh/keys-<username>/authorized_keys.

However, that file needs to be owned by the user.

eg:

[root@somehost ~]# ssh -v foo@10.0.0.115
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.0.0.115 [10.0.0.115] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.0.0.115' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:53
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.

~ $ id
uid=502(foo) gid=502(foo)

~ $ ls -al /etc/ssh/keys-foo
drwxr-xr-x    1 root     root                512 Jun  2 10:19 .
drwxr-xr-x    1 root     root                512 Jun  2 10:12 ..
-rw------T    1 foo      foo                 399 Jun  2 08:43 authorized_keys

~ $ exit 

However, the big problem is that ownership of VIB files goes back to root on mount time:

~ # ls -al /etc/ssh/keys-foo
drwxr-xr-x 1 root root 512 Jun 2 21:12 .
drwxr-xr-x 1 root root 512 Jun 2 21:12 ..
-rw------T 1 root root 399 Jun 2 18:43 authorized_keys

Script to create a custom VIB in ESXi 5.0

This script can be used to maintain a list of files to mount automatically at boot time. The list of files must also include the parent directories, if those are not present in the default directory hierarchy.

/createcustom.sh:

#!/bin/sh
# /createcustom.sh
# Chris Wells 20120602
# Put the list of files to include in file /customfiles
# Then add “— custom.v00” to the boot options in /bootbank/boot.cfg
# Test it by:
# vmkramdisk /bootbank/custom.v00

cd /
tar cvf /tmp/custom.tar `cat /customfiles` createcustom.sh customfiles
vmtar -o /tmp/custom.vmtar -c /tmp/custom.tar
rm -f /tmp/custom.tar
gzip -9 < /tmp/custom.vmtar > /tmp/custom.v00
rm -f /tmp/custom.vmtar
cp /tmp/custom.v00 /bootbank
rm -f /tmp/custom.v00

eg, I’ve used this to create ssh keys for a non-root user:

~ # /createcustom.sh 
etc/security/access.conf
etc/ssh/keys-foo/
etc/ssh/keys-foo/authorized_keys
createcustom.sh
customfiles

The sticky bit in VIB files

If a VIB file has the sticky (01000) bit set, then adjustments to the file will be monitored. Without the bit being set, a file will not be editable. This mechanism is used by the /sbin/auto-backup.sh script

eg:

~ # ls -al /custom
drwxr-xr-x    1 root     root                512 Jun  1 15:53 .
drwxr-xr-x    1 root     root                512 Jun  1 15:56 ..
-r--r--r--    1 root     root                 14 Jun  1 14:30 myfile
~ # echo "#Extra Line" >> /custom/myfile
-sh: cannot create /custom/myfile: Operation not permitted
~ # chmod 1444 /custom/myfile ~ # ls -al /custom
drwxr-xr-x    1 root     root                512 Jun  1 15:53 .
drwxr-xr-x    1 root     root                512 Jun  1 15:56 ..
-r--r--r-T    1 root     root                 14 Jun  1 14:30 myfile
~ # echo "#Extra Line" >> /custom/myfile
~ # ls -al /custom 
drwxr-xr-x    1 root     root                512 Jun  1 15:57 .
-r--r--r-T    1 root     root                 14 Jun  1 14:30 .#myfile
drwxr-xr-x    1 root     root                512 Jun  1 15:56 ..
-r--r--r-T    1 root     root                 26 Jun  1 15:57 myfile

Notice the .# file. This contains the original contents of the file.

NB, chmod +t could also have been used.

Creating and Mounting VIB files in ESXi

VIB files are stored in /bootbank, and mounted at boot file. A VIB file is a compress vmtar file (which itself is a variation of a tar file).

Once they’re mounted, they will also appear in /tardisks.

Here are the files which aren’t mounted (not all are vib files)

# cd /bootbank
# for f in *
> do
> if [ ! -r /tardisks/$f ]
> then
> echo $f
> fi
> done
a.b00
b.b00
boot.cfg
k.b00
onetime.tgz
tboot.b00
useropts.gz

eg, to create a VIB file and mount it:

~ # mkdir /custom
~ # printf “# Custom File\n” > /custom/myfile
~ # tar cvf /tmp/custom.tar custom
custom/
custom/myfile
~ # vmtar -c /tmp/custom.tar -v -o /tmp/custom.vmtar
~ # gzip < /tmp/custom.vmtar > /tmp/custom.v00
~ # vmtar -t < /tmp/custom.v00
drwxr-xr-x 0/0          0 2012-05-01 13:41 ./custom/
-rw-r–r– 0/0         14 2012-05-01 13:41 ./custom/myfile
~ # cp /tmp/custom.v00 /bootbank

Before mounting it, it is not linked into /tardisks:

~ # ls /tardisks/custom*
ls: /tardisks/custom*: No such file or directory

After it is:
~ # vmkramdisk /bootbank/custom.v00
~ # ls /tardisks/custom*
/tardisks/custom.v00

And umount it:

~ # vmkramdisk -u /tardisks/custom.v00
~ # ls /tardisks/custom*
ls: /tardisks/custom*: No such file or directory