VMware ESXi SSH Public Key Authentication

SSH supports public key authentication instead of username/password authentication. This can be very useful for VMware ESXi servers if you want to run scripts from remote machines. In my case, I had to configure a Linux server connected to a UPS to instruct the ESXi server to shut down in case of a power failure.

I will use my Linux desktop computer to generate a public and private key, and I will export my public key to the ESXi server. First, we’ll generate the keys:

renemolenaar@RMCSWS001 ~ $ ssh-keygen -t rsa -b 4096 -C "RMCSWS001"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/renemolenaar/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/renemolenaar/.ssh/id_rsa.
Your public key has been saved in /home/renemolenaar/.ssh/id_rsa.pub.
The key fingerprint is:
ab:6e:fc:34:4a:ca:7b:3b:97:e1:cd:22:e1:5d:92:82 RMCSWS001
The key's randomart image is:
+--[ RSA 4096]----+
|                 |
|                 |
|                 |
|                 |
|        S        |
|      + ..       |
|   . + @=.       |
|  E o.@==.       |
|    oX=oo        |
+-----------------+

You can see that my computer has generated a public and private key and has stored them somewhere in my home folder. I used -t to specify that I want an RSA key, and -b is the encryption level. By using -c, I can add a comment which is useful to recognize my desktop computer.

Normally, it would be better to specify a passphrase, I didn’t do it for this example, but it means that everyone with access to my desktop computer will be able to SSH into the ESXi host. The passphrase can be stored on your computer by using a password agent.

Below you can see my public and private keys in my home folder:

renemolenaar@RMCSWS001 ~ $ ls -lh /home/renemolenaar/.ssh/
total 24K
-rw------- 1 renemolenaar renemolenaar 3,2K jul 17 15:52 id_rsa
-rw-r--r-- 1 renemolenaar renemolenaar  735 jul 17 15:52 id_rsa.pub
-rw------- 1 renemolenaar renemolenaar 5,1K jul 16 16:52 known_hosts
-rw-r--r-- 1 renemolenaar renemolenaar 4,4K jul 16 11:30 known_hosts.old

Now we can add the public key I just generated to the /etc/ssh/keys-root/authorized_keys file. You can do this by logging into the ESXi server and opening the file, but we can also run the cat command in combination with SSH:

renemolenaar@RMCSWS001 ~ $ cat /home/renemolenaar/.ssh/id_rsa.pub | ssh root@esxi-host-ip 'cat >> /etc/ssh/keys-root/authorized_keys' Password: 

Now try to access the ESXi server:

renemolenaar@RMCSWS001 ~ $ ssh root@10.56.200.1 The time and date of this login have been sent to the system logs. VMware offers supported, powerful system administration tools. Please see www.vmware.com/go/sysadmintools for details. The ESXi Shell can be disabled by an administrative user. See the vSphere Security documentation for more information. ~ # 

That’s looking good. I can access the server without typing in my username and password! You can see that my public key was stored on the ESXi server:

~ # cat /etc/ssh/keys-root/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEVXRle6qGBRml3kZcbRfNijfrrC6XdS9QzhIkjhhkjhhfloa285Ay1T6rVbnIUYDbx80t5r4bQ18XaLmdZX5n+yoJxhu49bQ/3sR52+ZyzRbi4lqCKxmmUCvBzOaY7fGMlKApxU11UrI3fEzWx2aLlJB95L4c47f8m69LP4TkQ7j3asoITYTtK5xF/6SREolyOke1v/zTu9G1LjsAr/ABBnfttfDRnzbn/gPjNqbv1NpaZfs7Zercd7rLxxWaBMAI/wNakpuQcwElrbk2qt2zrRioNGGPLvvUMCWBTUbte9iYASWCmmKr55EP4iYV+VlzEEdmyrV5903DIqUpCaNmN+sTfVEnGbgdSBglQ6KWMxYXLbg6tPUIMkRNycP5gzx75yAckIgRp4RDaLWmFpErTtGOFd+VLQ8fXEPbkQOjMbUZLsckPGBJ7a14eJ1POStNY3PNLaVufV5uh122s7UDPitz6X74sLkfH/+Woa+7ypw79gwNZglo9NuGNPjbqH+Eb95dI6CqkxqxJ2LZlzHYFUs+ocG/0LXWVX0IQ6rqU7Zxi7CxEkQV9t3tIqtOiqUW7R8Vtz+vMP3O79KpT8lXACYzGGE2nWh+/cqHJ0MT6Wu1f7I/41OD1xLvVmxw7g96VpdZ5v5USEUlmueuy1Q== RMCSWS001

Now I can run commands on the ESXi server through SSH without typing in my username or password. Here’s an example:

renemolenaar@RMCSWS001 ~ $ ssh root@10.56.200.1 vim-cmd vmsvc/getallvms
Vmid       Name        File                   Guest OS          Version                                                                                                                         
17         VM1     [300GB] VM1/VM1.vmx    otherLinuxGuest        vmx-09                                                                                                                                    
18         VM2     [300GB] VM2/VM2.vmx    otherLinuxGuest        vmx-07

I hope this example has been helpful to you. If you have any questions just leave a comment!