SSH supports public key authentication instead of username/password authentication. This can be very useful for VMware ESXi servers if you want to run scripts from remote machines. In my case, I had to configure a Linux server connected to a UPS to instruct the ESXi server to shut down in case of a power failure.
I will use my Linux desktop computer to generate a public and private key, and I will export my public key to the ESXi server. First, we’ll generate the keys:
renemolenaar@RMCSWS001 ~ $ ssh-keygen -t rsa -b 4096 -C "RMCSWS001"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/renemolenaar/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/renemolenaar/.ssh/id_rsa.
Your public key has been saved in /home/renemolenaar/.ssh/id_rsa.pub.
The key fingerprint is:
ab:6e:fc:34:4a:ca:7b:3b:97:e1:cd:22:e1:5d:92:82 RMCSWS001
The key's randomart image is:
+--[ RSA 4096]----+
| |
| |
| |
| |
| S |
| + .. |
| . + @=. |
| E o.@==. |
| oX=oo |
+-----------------+
You can see that my computer has generated a public and private key and has stored them somewhere in my home folder. I used -t to specify that I want an RSA key, and -b is the encryption level. By using -c, I can add a comment which is useful to recognize my desktop computer.
Below you can see my public and private keys in my home folder:
renemolenaar@RMCSWS001 ~ $ ls -lh /home/renemolenaar/.ssh/
total 24K
-rw------- 1 renemolenaar renemolenaar 3,2K jul 17 15:52 id_rsa
-rw-r--r-- 1 renemolenaar renemolenaar 735 jul 17 15:52 id_rsa.pub
-rw------- 1 renemolenaar renemolenaar 5,1K jul 16 16:52 known_hosts
-rw-r--r-- 1 renemolenaar renemolenaar 4,4K jul 16 11:30 known_hosts.old
Now we can add the public key I just generated to the /etc/ssh/keys-root/authorized_keys file. You can do this by logging into the ESXi server and opening the file, but we can also run the cat command in combination with SSH:
renemolenaar@RMCSWS001 ~ $
cat /home/renemolenaar/.ssh/id_rsa.pub | ssh root@esxi-host-ip 'cat >> /etc/ssh/keys-root/authorized_keys' Password:
Now try to access the ESXi server:
renemolenaar@RMCSWS001 ~ $
ssh root@10.56.200.1 The time and date of this login have been sent to the system logs. VMware offers supported, powerful system administration tools. Please see www.vmware.com/go/sysadmintools for details. The ESXi Shell can be disabled by an administrative user. See the vSphere Security documentation for more information. ~ #
That’s looking good. I can access the server without typing in my username and password! You can see that my public key was stored on the ESXi server:
~ # cat /etc/ssh/keys-root/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEVXRle6qGBRml3kZcbRfNijfrrC6XdS9QzhIkjhhkjhhfloa285Ay1T6rVbnIUYDbx80t5r4bQ18XaLmdZX5n+yoJxhu49bQ/3sR52+ZyzRbi4lqCKxmmUCvBzOaY7fGMlKApxU11UrI3fEzWx2aLlJB95L4c47f8m69LP4TkQ7j3asoITYTtK5xF/6SREolyOke1v/zTu9G1LjsAr/ABBnfttfDRnzbn/gPjNqbv1NpaZfs7Zercd7rLxxWaBMAI/wNakpuQcwElrbk2qt2zrRioNGGPLvvUMCWBTUbte9iYASWCmmKr55EP4iYV+VlzEEdmyrV5903DIqUpCaNmN+sTfVEnGbgdSBglQ6KWMxYXLbg6tPUIMkRNycP5gzx75yAckIgRp4RDaLWmFpErTtGOFd+VLQ8fXEPbkQOjMbUZLsckPGBJ7a14eJ1POStNY3PNLaVufV5uh122s7UDPitz6X74sLkfH/+Woa+7ypw79gwNZglo9NuGNPjbqH+Eb95dI6CqkxqxJ2LZlzHYFUs+ocG/0LXWVX0IQ6rqU7Zxi7CxEkQV9t3tIqtOiqUW7R8Vtz+vMP3O79KpT8lXACYzGGE2nWh+/cqHJ0MT6Wu1f7I/41OD1xLvVmxw7g96VpdZ5v5USEUlmueuy1Q== RMCSWS001
Now I can run commands on the ESXi server through SSH without typing in my username or password. Here’s an example:
renemolenaar@RMCSWS001 ~ $ ssh root@10.56.200.1 vim-cmd vmsvc/getallvms
Vmid Name File Guest OS Version
17 VM1 [300GB] VM1/VM1.vmx otherLinuxGuest vmx-09
18 VM2 [300GB] VM2/VM2.vmx otherLinuxGuest vmx-07
I hope this example has been helpful to you. If you have any questions just leave a comment!