Product Announcements

SSH keys when using Lockdown Mode – A 5.x Hardening Guide update


I was informed today that there is a behavior in the 5.1 through 5.5 Update 1 Hardening Guides that is incorrectly documented.

The two affected guidelines are:

  • ESXi.enable-lockdown-mode
  • ESXi.remove-authorized-keys

The guidance in both is as follows:

Note:  Lockdown mode does not apply to root users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode.   

This is not correct. As of 5.1, login with authorized keys is now subject to the same restrictions as username/password logins. In other words, when we say “lockdown mode” we mean it. 🙂

At this time I’m not planning to release an interim update to the guidelines. Consider this blog post your “official” update to 5.1, 5.5 and 5.5U1.

Should I receive a number of other updates to the 5.5U1 guide I’ll consider an interim “5.5U1a” release. These guidelines will be corrected in the next release of the Hardening Guide.

If you have questions/concerns, don’t hesitate to reach out to me. Reply here, send email to mfoley at VMware dot com or reply to @vspheresecurity on Twitter.


Related Articles