You can set up SSH key-based authentication for logging into VMware ESXi hosts, bypassing the need for a username and password. This proves beneficial for managed remote access to an ESXi host via external script usage (such as triggering a shutdown command for ESXi during a UPS power outage event), or when you need to manage VMware ESXi hosts with Ansible.
Initiate the generation of private and public keys on the administrator’s computer. The RSA keys should maintain a minimum length of 4096 bits. To generate an RSA key pair of 4096-length on Windows, execute the below command:
ssh-keygen -t rsa -b 4096
FipsMode no
option in /etc/ssh/sshd_config.
To generate Ed25519 keys (id_ed25519 and id_ed25519.pub), run:
ssh-keygen -t ed25519
The utility creates two files in the current user’s profile directory (%USERPROFILE%.ssh):
- id_rsa – private key
- id_rsa.pub – public (open) key
If you are using the Puttygen tool to generate keys, you will need to export them in OpenSSH format.
Copy the public key (id_rsa.pub) from your computer to the VMware ESXi host This key must be added to the file /etc/ssh/keys-$USER/authorized_keys
. If this is a key for the root user, the path to the file will be as follows: /etc/ssh/keys-root/authorized_keys
.
Connect to the ESXi server using SSH.
You can edit the file manually (you can store multiple keys in one file) or add it to the ESXi server by using the PowerShell command:
cat c:usersadmin.sshid_rsa.pub | ssh [email protected] 'cat >> /etc/ssh/keys-root/authorized_keys'
The /etc/ssh/sshd_config file contains the OpenSSH server on the ESXi host.
Use this option to enable or disable root access:
PermitRootLogin yes
Disable SSH password logins:
ChallengeResponseAuthentication noKbdInteractiveAuthentication no
PasswordAuthentication no
Restart the SSH server on ESXi:
# /etc/init.d/SSH restart
You can now connect to the ESXi host without a password using the private key. On Windows computers with ssh-agent enabled, the private key from the user profile is automatically used when connecting to the host:
You can also use the -i parameter to specify the path to the private key:
ssh [email protected] -i "C:Usersadministrator.sshid_rsa"
Now you can remotely run any command in the ESXi console. For example, shutdown a specific virtual machine:
ssh [email protected] vim-cmd vmsvc/power.shutdown VMID