Home > Virtualization > Hacking ESXi For SSH Login Without Password

Hacking ESXi For SSH Login Without Password

November 22nd, 2013 Leave a comment Go to comments

As a powerful virtualization server, ESXi has a built-in SSH server even though it’s not enabled by default. That is what most system adminstrators use to remotely run commands there. ESXi also has a built-in SSH client so that you can ssh to other servers from ESXi. To use SSH as either server or client, you need to open up firewall. You can use vSphere Client to do it ( on host’s Configuration tab, check out the Security Profile in Software section), or simple with command line as follows.

~ # vim-cmd hostsvc/firewall_enable_ruleset sshServer
~ # vim-cmd hostsvc/firewall_enable_ruleset sshClient

Time to learn how to "Google" and manage your VMware and clouds in a fast and secure


Note: the following firewall_disable_ruleset sub-command is to close up firewall on certain ports in case you want to reverse them. For trying the rest of the commands, don’t run them.

~ # vim-cmd hostsvc/firewall_disable_ruleset sshServer
~ # vim-cmd hostsvc/firewall_disable_ruleset sshClient

If you want to use SSH client in ESXi without password, which is harder than to SSH to it without password, you need to do a bit more work. Most of the tutorials you find will not work because there is no ssh-keygen command in ESXi. The following are the steps on hacking this.

First, find a Linux machine which normally has ssh-keygen already. I here use the SSH server for ESXi. In that Linux machine, login as the user you want to use for logining from ESXi server, say root, and run the ssh-keygen command. When prompted “Enter file in which to save the key (/root/.ssh/id_rsa)”, type in esx_id_rsa. For the rest of the questions, just enter. When it’s done, you will have two more files in the /root/.ssh/ directory: esx_id_rsa and esx_id_rsa.pub. The first is the private RSA key and the second is the public RSA key.

# ssh-keygen

Secondly, copy the public key into the /root/.ssh/authorized_keys file as follows: (don’t use > in place of >>, or you would lose other authorized keys)

# cat esx_id_rsa.pub >> ./authorized_keys

Thirdly, send the private RSA key to the ESXi server. You can use scp from either side. The following is the command from ESXi side. If you don’t have /.ssh directory, create one with mkdir command.

~ # mkdir /.ssh
~ # scp root@ /.ssh/id_rsa

After that, you can use ssh command back to the SSH server

~ # ssh

For the first time, it would check with you whether you want to connect to remote server with printed thumbprint. If can skip it with additional command options, but you can also type yes and the remote server ID will be saved to /.ssh/known_hosts so you won’t be asked again later.

To simplify the process, we use the same Linux machine for key generation and for SSH server. Now that you have the public key and you can send it to whatever remote SSH server and copy (cat) in the ~/.ssh/authorized_keys.

Can you do the same when ESXi as SSH server? In other words, can you login ESXi from another machine without password? Try it out by yourself. It should be easier (Hint, think about /.ssh/authorized_keys).

Categories: Virtualization Tags: , ,
  1. ato
    November 22nd, 2013 at 19:10 | #1

    In ESXi authorized_keys file for root user is located in /etc/ssh/keys-root directory
    so the best way to add your own pub key to it is:

    cat “your-public-key-file” | ssh esxihost “cat – >> /etc/ssh/keys-root/authorized_keys”

    You can also set default user to root if you are logging to esxihost by adding:

    Host esxihost
    User root

    to your ssh config file – ~/.ssh/config so you can simpyi do:

    ssh esxihost


  2. November 24th, 2013 at 22:57 | #2

    Thanks a lot Ato!

    The script is very handy.

    Wish the same password less login is possible with vSphere API to ESXi.


  3. December 5th, 2013 at 07:50 | #3

    Just flew over my head, don’t understand what the queries are meant to do.

  4. GG
    November 4th, 2014 at 03:17 | #4

    What about keychain security?

  1. No trackbacks yet.