Did you know the vCLI (includes ESXCLI) offers several different authentication options? This is actually not a very well known fact and I thought I share some of the different options, as this question comes up from time to time.
Note: In the examples below, I am using the vCLI 5.0 release.
1. Traditional username and password – You can either specify both the –username and –password or only specify the –username and you will then be prompted to enter your password.
Here is an example:
In the screenshot above, we can specify either just the –username and be prompted for the password or we can specify both –username and –password on the command line. If you are using special characters, make sure you either escape them using “” character or just enclose them with single quotes.
2. Session File – Instead of specifying a username/password each time, you can login once and create a session file which can then be used for the duration of your tasks. If the session file is not used, it will automatically expire after 30 minutes.
Here is an example:
In the screenshot above, you need to first create a session file by using the –savesessionfile option and specifying the name of the session file. Once you have successfully created the session file, you can then use the –sessionfile option and the session file itself as your authenication.
3. Environmental Variable – You can store your authentication as well as other parameters using an environmental variable. This option is not very secure for username and passwords, as the contents is in clear text.
Here is an example:
In the screenshot above, we are using the export command to create two environmental variables for username and password which is VI_USERNAME and VI_PASSWORD. There is a complete list here for more details. You can also create enviornmental variables on a Windows system, you can refer to the vCLI documentation for an example.
4. Configuration File – You can store your authentication as well as other parameters using a configuration file. This option is also not very secure for credentials, but if you decide to use this, ensure you limit access to the file.
Here is an example:
In the screenshot above, we add the same variables to a configuration file. Again, you can get the full list of variables here.
5. Credential Store – For service accounts or agents that need to login through a non-interactive session, you can leverage the credential store which stores the passwords in an obfuscated (not encrypted) form for access.
Here is an example:
In the screenshot above, we are using the credstore_admin.plvSphere SDK for Perl script to add a host into credential store. We can verify by using the “list” operation and then finally we can use the credential store by using the –credstore option and specifying the default path of the file which is in /home/<user>/.vmware/credstore/vicredentials.xml
6. Pass-Through – This option is available only for Microsoft Window systems which support SSPI (Security Support Provider Interface) and passes the credentials of the executing user to the server. The executing user must have an account in a domain trusted by both machines
Here is an example:
In the screenshot above, to use the pass-through option, you just need to specify the –passthroughauth option. By default, the passthroughauth is configured for negioate but you can specify a particular authentication package such as “kerberos” by using the –passthroughauthpackage option.
In addition to these authentication options, there is one new option that is only available with the ESXCLI command that you may not have heard about. This is the –cacertsfile option which allows you to specify the CA (Certificate Authority) certificate file, in PEM format, to verify the identity of the vCenter Server system or ESXi system to run the command on. The primary use case for this is to help prevent MITM (Man-In-The-Middle) attacks.
Here is an example:
In the above screenshot, to leverage the –cacertsfile option you will need to specify a certificate file in PEM format. You will still need to specify the credentials to the system using any of the options listed above in addition to the certificate file.
You can use the following command to convert *.pfx file to *.pem format: openssl pkcs12 -in rui.pfx -out rui.pem -nodes
If the certificate can not be verified as the screenshot shows, then the operation will be rejected even with valid credentials, else it will proceed as normal.
As you can see you have several options for authentication when it comes to the vCLI than just specifying the username and password on the command-line. Some options may be more secure than others or fit a particular use case such as leveraging a session file for a few tasks or using pass-through authentication if you are in a Windows environment. For more details about the vCLI authentication options, please refer here which also include equivalent commands for a Window systems.
FYI – For those studying for the VCAP-DCA exams, I would highly recommend you create a configuration file of the credentials, this way you do not have to retype the credentials each time. I know with a timed exam such as the VCAP-DCA, anything to help speed things up will help.
Get notification of new blog postings and more by following lamw on Twitter: @lamw
