Hopefully everyone is familiar with ESXi's Lockdown Mode and what it means from a security standpoint. Here is a table of the behavior between normal and Lockdown Mode:

In ESXi 5, the use of SSH keys is officially supported without having to manually create any hacks to preserve .ssh directory as you did with prior releases of ESXi. If you use Lockdown Mode, there is an additional caveat to be aware of in which the use of SSH keys is able to by-pass the Lockdown Mode configuration for an ESXi 5 host.

Here is a quick example demonstrating the process from VMware's VCVA (vCenter Virtual Appliance):

Step 1 - Create SSH keys

vcenter50-1:~ # ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
a1:8c:24:60:0e:fe:9a:cf:4a:35:17:d6:89:ba:08:9d [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
|o. |
|=. o . |
| o. .+ o. |
| ..+oo.. . |
|. E=..o S |
|. = + |
| = . |
|. o |
| ..o |

Step 2 - Copy SSH public keys over to destination ESXi 5 host into the authorized file under /etc/ssh/keys-root/authorized_keys

vcenter50-1:~ # scp .ssh/id_dsa.pub [email protected]:/etc/ssh/keys-root/authorized_keys
id_dsa.pub 100% 606 0.6KB/s 00:00

Step 3 - Enable Lockdown Mode via vCenter

Step 4 - SSH into locked down ESXi 5 host utilizing SSH keys

By default the support of SSH is enabled, you will need to manually disable it to ensure that you are fully lockdown when you choose to enable Lockdown Mode. To disable SSH key support, you just need to comment the following line in /etc/ssh/sshd_config

# AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

The change takes effect right away and you do not need to restart the SSH daemon.

If you are interested in automatically disabling the use of SSH keys or you would like to copy an existing SSH key into your ESXi 5 host via kickstart, take a look at Automating ESXi 5.x Kickstart Tips & Tricks for more details.

6 thoughts on “SSH Keys & Lockdown Mode Caveat in ESXi 5

  1. I found a mistake in your article. To ENABLE SSH key support you need to un-comment the AuthorizedKeysFile line in /etc/ssh/sshd_config. While commented this will not work. I was bashing my head as to why this wasn’t working until I removed the # from that line. Now all works as expected.

  2. @Kcmjr,

    By default, SSH key support is enabled by default. I meant to say “comment” as the statement showed users how to disable it. I’ve fixed it

  3. A bit dated thread, but hopefully someone is still monitoring :).

    I have an ESXi 5 environment where I am trying to set up ssh keys between two standalone ESXi5 Hypervisors. When setting up keys from one host to the other, the /etc/ssh/keys-root/authorized_keys file survives a reboot, but the corresponding public key which was generated in /.ssh is lost upon reboot. Any suggestions ?

  4. This is great for SSH’ing into an ESXi5 host from another Linux system, but how do you set up ESXi5 so that you can SSH into another Linux box FROM it using keys? ssh-keygen is buried a bit in ESXi5, but it is there. However, there is no /root/.ssh directory to place the id_rsa key into. Once you have placed the id_rsa.pub from an ESXi5 box onto the remote system, where does the local id_rsa private key belong? /.ssh?

Thanks for the comment!