Hacking ESXi For SSH Login Without Password
As a powerful virtualization server, ESXi has a built-in SSH server even though it’s not enabled by default. That is what most system adminstrators use to remotely run commands there. ESXi also has a built-in SSH client so that you can ssh to other servers from ESXi. To use SSH as either server or client, you need to open up firewall. You can use vSphere Client to do it ( on host’s Configuration tab, check out the Security Profile in Software section), or simple with command line as follows.
~ # vim-cmd hostsvc/firewall_enable_ruleset sshServer ~ # vim-cmd hostsvc/firewall_enable_ruleset sshClient
Time to learn how to "Google" and manage your VMware and clouds in a fast and secureHTML5 App
Note: the following firewall_disable_ruleset sub-command is to close up firewall on certain ports in case you want to reverse them. For trying the rest of the commands, don’t run them.
~ # vim-cmd hostsvc/firewall_disable_ruleset sshServer ~ # vim-cmd hostsvc/firewall_disable_ruleset sshClient
If you want to use SSH client in ESXi without password, which is harder than to SSH to it without password, you need to do a bit more work. Most of the tutorials you find will not work because there is no ssh-keygen command in ESXi. The following are the steps on hacking this.
First, find a Linux machine which normally has ssh-keygen already. I here use the SSH server for ESXi. In that Linux machine, login as the user you want to use for logining from ESXi server, say root, and run the ssh-keygen command. When prompted “Enter file in which to save the key (/root/.ssh/id_rsa)”, type in esx_id_rsa. For the rest of the questions, just enter. When it’s done, you will have two more files in the /root/.ssh/ directory: esx_id_rsa and esx_id_rsa.pub. The first is the private RSA key and the second is the public RSA key.
Secondly, copy the public key into the /root/.ssh/authorized_keys file as follows: (don’t use > in place of >>, or you would lose other authorized keys)
# cat esx_id_rsa.pub >> ./authorized_keys
Thirdly, send the private RSA key to the ESXi server. You can use scp from either side. The following is the command from ESXi side. If you don’t have /.ssh directory, create one with mkdir command.
~ # mkdir /.ssh ~ # scp email@example.com:/root/.ssh/esx_id_rsa /.ssh/id_rsa
After that, you can use ssh command back to the SSH server
~ # ssh 192.168.8.8
For the first time, it would check with you whether you want to connect to remote server with printed thumbprint. If can skip it with additional command options, but you can also type yes and the remote server ID will be saved to /.ssh/known_hosts so you won’t be asked again later.
To simplify the process, we use the same Linux machine for key generation and for SSH server. Now that you have the public key and you can send it to whatever remote SSH server and copy (cat) in the ~/.ssh/authorized_keys.
Can you do the same when ESXi as SSH server? In other words, can you login ESXi from another machine without password? Try it out by yourself. It should be easier (Hint, think about /.ssh/authorized_keys).