SSH supports public key authentication instead of username/password authentication. This can be very useful for VMware ESXi servers if you want to run scripts from remote machines. In my case I had to configure a Linux server that is connected to a UPS to instruct the ESXi server to shutdown in case of a power failure.
I will be using my Linux desktop computer to generate a public and private key, and I will export my public key to the ESXi server. First we’ll generate the keys:
renemolenaar@RMCSWS001 ~ $ ssh-keygen -t rsa -b 4096 -C "RMCSWS001" Generating public/private rsa key pair. Enter file in which to save the key (/home/renemolenaar/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/renemolenaar/.ssh/id_rsa. Your public key has been saved in /home/renemolenaar/.ssh/id_rsa.pub. The key fingerprint is: ab:6e:fc:34:4a:ca:7b:3b:97:e1:cd:22:e1:5d:92:82 RMCSWS001 The key's randomart image is: +--[ RSA 4096]----+ | | | | | | | | | S | | + .. | | . + @=. | | E o.@==. | | oX=oo | +-----------------+
You can see that my computer has generated a public and private key and has stored them somewhere in my home folder. I used -t to specify that I want a RSA key and -b is the encryption level. By using -c I can add a comment which is useful to recognize my desktop computer.
Below you can see my public and private key in my home folder:
renemolenaar@RMCSWS001 ~ $ ls -lh /home/renemolenaar/.ssh/ total 24K -rw------- 1 renemolenaar renemolenaar 3,2K jul 17 15:52 id_rsa -rw-r--r-- 1 renemolenaar renemolenaar 735 jul 17 15:52 id_rsa.pub -rw------- 1 renemolenaar renemolenaar 5,1K jul 16 16:52 known_hosts -rw-r--r-- 1 renemolenaar renemolenaar 4,4K jul 16 11:30 known_hosts.old
Now we can add the public key that I just generated to the /etc/ssh/keys-root/authorized_keys file. You can do this by logging into the ESXi server and opening the file, but we can also run the cat command in combination with SSH:
renemolenaar@RMCSWS001cat /home/renemolenaar/.ssh/id_rsa.pub | ssh root@esxi-host-ip 'cat >> /etc/ssh/keys-root/authorized_keys' Password:
Now try to access the ESXi server:
ssh email@example.com The time and date of this login have been sent to the system logs. VMware offers supported, powerful system administration tools. Please see www.vmware.com/go/sysadmintools for details. The ESXi Shell can be disabled by an administrative user. See the vSphere Security documentation for more information. ~ #
That’s looking good. I can access the server without typing in my username and password! You can see that my public key was stored on the ESXi server:
~ # cat /etc/ssh/keys-root/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEVXRle6qGBRml3kZcbRfNijfrrC6XdS9QzhI2QLOz/4Mygf4ollXxxAfKBXVpprHLmYfloa285Ay1T6rVbnIUYDbx80t5r4bQ18XaLmdZX5n+yoJxhu49bQ/3sR52+ZyzRbi4lqCKxmmUCvBzOaY7fGMlKApxU11UrI3fEzWx2aLlJB95L4c47f8m69LP4TkQ7j3asoITYTtK5xF/6SREolyOke1v/zTu9G1LjsAr/ABBnfttfDRnzbn/gPjNqbv1NpaZfs7Zercd7rLxxWaBMAI/wNakpuQcwElrbk2qt2zrRioNGGPLvvUMCWBTUbte9iYASWCmmKr55EP4iYV+VlzEEdmyrV5903DIqUpCaNmN+sTfVEnGbgdSBglQ6KWMxYXLbg6tPUIMkRNycP5gzx75yAckIgRp4RDaLWmFpErTtGOFd+VLQ8fXEPbkQOjMbUZLsckPGBJ7a14eJ1POStNY3PNLaVufV5uh122s7UDPitz6X74sLkfH/+Woa+7ypw79gwNZglo9NuGNPjbqH+Eb95dI6CqkxqxJ2LZlzHYFUs+ocG/0LXWVX0IQ6rqU7Zxi7CxEkQV9t3tIqtOiqUW7R8Vtz+vMP3O79KpT8lXACYzGGE2nWh+/cqHJ0MT6Wu1f7I/41OD1xLvVmxw7g96VpdZ5v5USEUlmueuy1Q== RMCSWS001
Now I will be able to run commands on the ESXi server through SSH without typing in my username or password, here’s an example:
renemolenaar@RMCSWS001 ~ $ ssh firstname.lastname@example.org vim-cmd vmsvc/getallvms Vmid Name File Guest OS Version 17 VM1 [300GB] VM1/VM1.vmx otherLinuxGuest vmx-09 18 VM2 [300GB] VM2/VM2.vmx otherLinuxGuest vmx-07
I hope this example has been useful to you. If you have any questions just leave a comment!