How to Establish SSH Key-Based Authentication on VMware ESXi

You can set up SSH key-based authentication for logging into VMware ESXi hosts, bypassing the need for a username and password. This proves beneficial for managed remote access to an ESXi host via external script usage (such as triggering a shutdown command for ESXi during a UPS power outage event), or when you need to manage VMware ESXi hosts with Ansible.

Initiate the generation of private and public keys on the administrator’s computer. The RSA keys should maintain a minimum length of 4096 bits. To generate an RSA key pair of 4096-length on Windows, execute the below command:

ssh-keygen -t rsa -b 4096

Learn more about SSH key-based auth on Windows.
It is recommended to use the Ed25519 protocol instead of RSA keys in new OpenSSH builds (use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto). In ESXi 8.0, I was only able to establish an SSH connection using the Ed25519 key pair after disabling the FipsMode no option in /etc/ssh/sshd_config.

To generate Ed25519 keys (id_ed25519 and id_ed25519.pub), run:

ssh-keygen -t ed25519

The utility creates two files in the current user’s profile directory (%USERPROFILE%.ssh):

  • id_rsa – private key
  • id_rsa.pub – public (open) key

If you are using the Puttygen tool to generate keys, you will need to export them in OpenSSH format.

Copy the public key (id_rsa.pub) from your computer to the VMware ESXi host This key must be added to the file /etc/ssh/keys-$USER/authorized_keys. If this is a key for the root user, the path to the file will be as follows: /etc/ssh/keys-root/authorized_keys.

Connect to the ESXi server using SSH.

You can edit the file manually (you can store multiple keys in one file) or add it to the ESXi server by using the PowerShell command:

cat c:usersadmin.sshid_rsa.pub | ssh [email protected] 'cat >> /etc/ssh/keys-root/authorized_keys'

The /etc/ssh/sshd_config file contains the OpenSSH server on the ESXi host.

Use this option to enable or disable root access:

PermitRootLogin yes

Disable SSH password logins:

ChallengeResponseAuthentication no 

KbdInteractiveAuthentication no

PasswordAuthentication no

Restart the SSH server on ESXi:

# /etc/init.d/SSH restart

You can also use VMware Host Profiles to deploy open SSH keys to ESXi hosts (Security Configuration -> SSH authorized key for root user -> Add public key)

You can now connect to the ESXi host without a password using the private key. On Windows computers with ssh-agent enabled, the private key from the user profile is automatically used when connecting to the host:

ssh [email protected]

You can also use the -i parameter to specify the path to the private key:

ssh [email protected] -i "C:Usersadministrator.sshid_rsa"

Now you can remotely run any command in the ESXi console. For example, shutdown a specific virtual machine:

[command]

ssh [email protected] vim-cmd vmsvc/power.shutdown VMID


Posted

in

by

Tags: