Adding non root access to ESXi

ESXi, is POSIX-enough that you can add a user to /etc/shadow, /etc/passwd, and /etc/group.

Console Access:

However, in order to allow the user to login directly the /etc/security/access.conf file has to be edited:

/etc/security/access.conf :

+:dcui:ALL
+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
+:foo:ALL
-:ALL:ALL

SSH Access:

If passwords are used, then the previous change needs to be made. Alternatively, SSH-keys can be used.

SSH keys are stored in /etc/ssh/keys-<username>/authorized_keys.

However, that file needs to be owned by the user.

eg:

[root@somehost ~]# ssh -v foo@10.0.0.115
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.0.0.115 [10.0.0.115] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.0.0.115' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:53
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.

~ $ id
uid=502(foo) gid=502(foo)

~ $ ls -al /etc/ssh/keys-foo
drwxr-xr-x    1 root     root                512 Jun  2 10:19 .
drwxr-xr-x    1 root     root                512 Jun  2 10:12 ..
-rw------T    1 foo      foo                 399 Jun  2 08:43 authorized_keys

~ $ exit 

However, the big problem is that ownership of VIB files goes back to root on mount time:

~ # ls -al /etc/ssh/keys-foo
drwxr-xr-x 1 root root 512 Jun 2 21:12 .
drwxr-xr-x 1 root root 512 Jun 2 21:12 ..
-rw------T 1 root root 399 Jun 2 18:43 authorized_keys
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: