Adding non root access to ESXi

ESXi, is POSIX-enough that you can add a user to /etc/shadow, /etc/passwd, and /etc/group.

Console Access:

However, in order to allow the user to login directly the /etc/security/access.conf file has to be edited:

/etc/security/access.conf :


SSH Access:

If passwords are used, then the previous change needs to be made. Alternatively, SSH-keys can be used.

SSH keys are stored in /etc/ssh/keys-<username>/authorized_keys.

However, that file needs to be owned by the user.


[root@somehost ~]# ssh -v foo@
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:53
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.

~ $ id
uid=502(foo) gid=502(foo)

~ $ ls -al /etc/ssh/keys-foo
drwxr-xr-x    1 root     root                512 Jun  2 10:19 .
drwxr-xr-x    1 root     root                512 Jun  2 10:12 ..
-rw------T    1 foo      foo                 399 Jun  2 08:43 authorized_keys

~ $ exit 

However, the big problem is that ownership of VIB files goes back to root on mount time:

~ # ls -al /etc/ssh/keys-foo
drwxr-xr-x 1 root root 512 Jun 2 21:12 .
drwxr-xr-x 1 root root 512 Jun 2 21:12 ..
-rw------T 1 root root 399 Jun 2 18:43 authorized_keys

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: