Nestled among the many new features and capabilities introduced with vSphere 5.1 are some nice security improvements to the ESXi Shell. One of the more notable improvements is the ability to assign full admin privileges to named user accounts. This means there is no longer a dependency on a shared “root” account when working from the ESXi Shell.
Versions of ESXi prior to 5.1 only allow for a single administrative account on the host, and this was of course the “root” user. While it is possible to create named user accounts and to use these accounts to logon to the ESXi Shell and perform many operations, these users are not granted full administrative rights on the host. As such these named users often need to “su” to root in order to perform privileged operations such as viewing logs, creating a log bundle for support, or running commands like esxtop or vmkfstools. This presents some challenges in terms of both security and auditing. Not only is there an inherent dependency on a shared root account, but key administrative actions performed on the host are logged as “root” making it difficult to audit individual user activity on the host.
With vSphere 5.1 there is no longer a dependency on a shared root account. ESXi 5.1 now allows assigning full administration rights to named users. With this, users can now logon to the ESXi shell using individual accounts without the need to “su” to root, and because there is no longer a dependency on a shared root account all actions performed on the host are logged under the named user rather than the shared “root” account. Thus helping to better secure the host while at the same time improve logging and auditing.
The ability to assign full admin rights to named users helps improve host security and allows you to limit access to the root account. A couple things to remember when it comes to creating named users on an ESXi host:
- You cannot create local ESXi users from the Web Client. To create local users using the UI you need to use the vSphere client to connect directly to the ESXi host.
- You can also use Host Profiles to create local users and assign privileges. This can be very beneficial if you have a lot of hosts and want to ensure a common set of local user accounts gets created on each.
As an alternative to creating local user accounts on each ESXi hosts I would encourage you to consider adding your hosts to Active Directory (AD) instead. This not only enables users to use their existing AD credentials to manage ESXi hosts, but it also simplifies the configuration by eliminating the need to create and maintain local user accounts on each host. I’ll be posting some more info on this so be sure to check back.