Posted on 25 July, 2012 by Kyle Gleed, Sr. Technical Marketing Architect, VMware
I came across this question today: “How do I setup password free SSH access to my ESXi hosts”. A quick Google search turned up a lot of good info on this topic, but I didn’t find anything on the vSphere blog so I wanted to chime with a quick post, and hopefully add to what’s already out there.
When people ask “how” to enable password free SSH, the question I always ask in return is “should" you enable password free SSH? In most situations I would dare say the answer is probably not. I often find that the decision to enable password free access is not based on any real requirement, but rather is done for the sake of convenience – admins want easy access to their vSphere hosts. In my opinion, this is a case where security should trump convenience. However, having said that I do realize that there are valid situations where SSH access is unavoidable, and depending the situation it might make sense to enable password free access. My point here is that just because you can setup password free SSH doesn’t mean it’s a good idea. Keep in mind, once you enable password free SSH:
Anybody with access to the root account on the remote host will have full root access to your ESXi host.
Root users allowed password free access to ESXi are not affected by password changes.
Root users allowed password free access to ESXi are not affected by lockdown mode.
With that I’ll jump down off my soapbox and go over the steps to enable password free SSH. It’s really pretty easy. Two basic steps:
1. On the remote host use “ssh-keygen” to create a private/public key pair. You can use an RSA or DSA token. Make sure you leave the passphrase empty/blank.
2. Next, append the user’s public key (created by the ssh-keygen tool) to the /etc/ssh/keys-root/authorized_keys file on the ESXi host. Here’s an easy way to do this (I got this nifty syntax from here):
With the remote host’s public key stored in the "authorized_keys" file, anytime this user SSH's to the vSphere host instead of prompting for a password the host will check the remote users public key against what's in the authorized_keys file, and if a match is found access is allowed.
Note: I've seen a few articles that mentioned the need to edit the /etc/ssh/sshd_config file. On ESXi 5.0 you do not need to edit the sshd_config file. The file is already configured to allow password free SSH. All you need to do is load the user's public keys into the /etc/ssh/keys/authorized_keys file.
