In vSphere 6.0 we now have a new concept called Exception Users. The intent of Exception Users is that they are not general admin users. I would consider them more of a “Service Account” type of access.
As a matter of fact, just the other day I got an email from someone internal at VMware that brought up a great use case for Exception Users. They were talking to a customer that wanted to access ESXi via a PowerCLI cmdlet (Get-VMHostAccount) to list out the local accounts on an ESXi server as part of their normal security reporting.
But they also wanted to enable Lockdown Mode and were finding it difficult to comply with both things. In vSphere 6.0 this is now much easier to address. Let’s get started.
Steps I took
Exception users can be local accounts on the ESXi server or Active Directory accounts if your ESXi server is joined to a domain and you want to centralize account management.
In the following example I’m going to show using Exception Users Active Directory accounts but first I’m going to take a quick segue and show you how to create local users using some of the new functionality of ESXCLI. I’ll also provide an example on how to create a local user account using PowerCLI.
Local Account Creation
I’m going to create the local account using the new ESXCLI commands for managing ESXi accounts. You’ll note a new feature where in order to connect to the ESXi server you need to provide the SSL certificate Thumbprint of the ESXi server. A blog about ESXCLI security features will come at a later date.
Creating local account using ESXCLI
Running commands without the thumbprint will look like this:
1 |
esxcli --server 192.168.8.30 --username root --password VMware1! system account list |
1 |
Connect to 192.168.8.30 failed. Server SHA-1 thumbprint: 4C:72:DD:E2:66:8B:98:FA:D8:AE:CE:57:03:21:88:EE:4A:D7:5F:9F (not trusted). |
Now lets run the command with the thumbprint and get the results. (This is on Windows. If on Unix/Linux use the export command)
1 |
set VI_THUMBPRINT=4C:72:DD:E2:66:8B:98:FA:D8:AE:CE:57:03:21:88:EE:4A:D7:5F:9F |
1 |
esxcli --server 192.168.8.30 --username root --password VMware1! system account list |
User ID Description
————– ——————————————-
root Administrator
dcui DCUI User
vpxuser VMware VirtualCenter administration account
testuser testuser
1 2 |
esxcli --server esxi-a.lab.local -u root -p VMware1! system account add --id serviceaccount --description "Test Service Account" --password="uZ>{czY69EcX" --password-confirmation="uZ>{czY69EcX" |
1 |
esxcli --server 192.168.8.30 --username root --password VMware1! system account list |
1 2 3 4 5 6 7 |
User ID Description -------------- ------------------------------------------- root Administrator dcui DCUI User vpxuser VMware VirtualCenter administration account testuser testuser serviceaccount Test Service Account |
Here’s how that looks
For those that like to cut and paste the code above please note that HTML converts two dashes to one. See the image above to see the use of single and double dashes.
Creating local account using PowerCLI
joined to the domain I did not need to provide credentials
1 2 |
Connect-VIServer esxi-a.lab.local New-VMHostAccount -password lkjs41!! -Description "Test account" -useraccount testuser2 |
Active Directory account
I created a new user in Active Directory. In my example it’s call [email protected]. This should be considered a “Service Account” that the script used to poll the ESXi servers will run under. It should not be used for interactive logins.
Roles and Permissions
To follow the least privilege model I created a role called “Modify Permission Role” with the “Permission…Modify Permission” permission. This is done not on vCenter but on the ESXi host directly.
Why not in vCenter? Because when an ESXi server is in Lockdown Mode, it cannot be managed directly. The Exception User bypasses this restriction. Lockdown Mode has no effect on managing a host via vCenter provided the user has the right permissions at the vCenter level.
Why an Active Directory account? Because, while I can create a local user, AD gives me the ability to manage one account centrally. Like many security situations, it’s your preference how you want to do this. For some, this type of account HAS to be a local user. I’m not here to judge!
Modify Permissions?
Why not “Read Only”? Because the task of listing the local users according to the vSphere API requires this permission. Now, I’m sure many will say “OMG, granting a service account a “modify” role??”. Not to worry. When the host is in Lockdown Mode, the user cannot add any permissions.
When out of Lockdown Mode the account is only able to modify permissions of accounts that hold its role or less. It can never elevate permissions nor can it lower permissions of an account with greater privileges. It can elevate a user from “No access” to its current role and no further. Bottom line, I can’t make someone an admin unless I’m an admin too. Here’s the error I’ll get if I try:
Now that the permissions are clarified, I assigned the [email protected] user the Modify Permissions Role in ESXi.
Enabling Lockdown Mode
Now from the Web Client we’ll enable Normal Lockdown Mode.
And add [email protected] to the Exception Users List
And verify the user is on the list
You can add a user to the Exception Users list with Powershell/PowerCLI by calling UpdateLockdownExceptions. Many thanks to Wouter Kursten for hunting that down.
1 2 3 |
$HostAccessManager = Get-View -Server $vCenter $vmhost.ExtensionData.ConfigManager.HostAccessManager $HostAccessManager.UpdateLockdownExceptions($accountName) |
Verify Permissions
To show that [email protected] is unable to see anything other than read-only host information I logged in to the Web Client and tried to look at Virtual Machines and Templates. Because it has no permissions assigned at the vCenter level, it’s unable to view anything. Because of this they are unable to change any settings (like Lockdown Mode) on the ESXi host.
Because [email protected] isn’t in the DCUI.Access list, they have no ability to log into ESXi’s Direct Console User Interface (DCUI) and exit Lockdown Mode. See in the image below that only the local “root” account has that capability. This is used purely as an example. You may not want to run with that in your environment. It’s always best practice to use named accounts that can be tied to an individual. VMware recommends using the Active Directory integration built-in to ESXi.
Note that while “root” can access the DCUI console of the ESXi server it cannot SSH into the ESXi server because the host is in Lockdown mode and it is not on the Exception User list.
Only users on the Exception List can log into the ESXi server. And only Exception Users that are administrators can log in via SSH! Here you’ll see that accessing the host via PowerCLI will provide the list of local users on the ESXi host.
Note: When you run “Get-VMHostAccount” you only get the list of LOCAL users. You won’t get a list of AD users that have roles and permissions on the host. For that you can use the Get-VIPermission cmdlet.
To get the list of Exception Users via PowerCLI, run the following code snippet either against the ESXi host directly or against vCenter.
1 2 3 4 5 6 7 8 9 10 11 12 |
#Run this at the vCenter level or against an individual host $esxihosts = get-vmhost foreach ($esxihost in $esxihosts) { $myhost = Get-VMHost $esxihost | Get-View $lockdown = Get-View $myhost.ConfigManager.HostAccessManager Write-Host "--------------------------------" #Get a list of the Exception Users Write-Host "List of Exception Users on " $esxihost $lockdown.QueryLockdownExceptions() Write-Host "--------------------------------" } |
You should get something like this:
Note that I had added root to this list during the production of this blog. That’s not something you should do normally.
See my blog article on Granting Shell Access for more information on why a user needs the full Administrator role to enable SSH access. There’s no specific permission nor can you clone the role. It has to be the Administrators role. If you have a use case where you need SSH access to an ESXi server to run a task that you can’t get via the vSphere API, I’d really like to hear about it!
Video
Here’s a video of one of our awesome engineers, Kalyan, describing how the new Lockdown Modes and Exceptions users work. It’s a quick 2:48 overview of what you’ve just learned. Enjoy and great job Kalyan!
https://www.youtube.com/watch?v=vC5VyUGB2Zk&feature=youtu.be
Recap
- Went over the two types of Lockdown Mode, Normal and Strict
- Showed how to create Local Users using ESXCLI and PowerCLI
- Showed how to enable Lockdown Mode via the published interfaces
- Provided a code snippet to get the list of Exception Users via PowerCLI
- We’ve created a Service Account user, CIMUSER in AD
- Assigned the account a Read-Only role at the Cluster (ie: Host) level
- Enabled Normal Lockdown Mode
- Added CIMUSER to the Exception List
- Verified that CIMUSER can connect and can only see Read-Only information about hosts.
- Shown that CIMUSER can access the information needed via the vSphere API leveraging PowerCLI
- Shown that CIMUSER cannot SSH into the ESXi host
- Provided a code snippet to get the list of Exception Users via PowerCLI