{"id":9462,"date":"2024-04-11T09:05:05","date_gmt":"2024-04-11T09:05:05","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/how-to-establish-ssh-key-based-authentication-on-vmware-esxi\/"},"modified":"2025-01-20T10:02:25","modified_gmt":"2025-01-20T10:02:25","slug":"how-to-establish-ssh-key-based-authentication-on-vmware-esxi","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/how-to-establish-ssh-key-based-authentication-on-vmware-esxi\/","title":{"rendered":"How to Establish SSH Key-Based Authentication on VMware ESXi"},"content":{"rendered":"<p>You can set up SSH key-based authentication for logging into VMware ESXi hosts, bypassing the need for a username and password. This proves beneficial for managed remote access to an ESXi host via external script usage (such as triggering a shutdown command for ESXi during a UPS power outage event), or when you need to <a href=\"https:\/\/woshub.com\/managing-vmware-infrastructure-ansible\/\" target=\"_blank\" rel=\"nofollow noopener\">manage VMware ESXi hosts with Ansible<\/a>.<\/p>\n<p>Initiate the generation of private and public keys on the administrator&#8217;s computer. The RSA keys should maintain a minimum length of 4096 bits. To generate an RSA key pair of 4096-length on Windows, execute the below command:<\/p>\n<p><code>ssh-keygen -t rsa -b 4096<\/code><\/p>\n<div>Learn more about <a href=\"https:\/\/woshub.com\/using-ssh-key-based-authentication-on-windows\/\" target=\"_blank\" rel=\"nofollow noopener\">SSH key-based auth on Windows<\/a>.<\/div>\n<div>It is recommended to use the Ed25519 protocol instead of RSA keys in new OpenSSH builds (<em>use RSA\/SHA256 when testing usability of private keys as some systems are starting to disable RSA\/SHA1 in libcrypto<\/em>). In ESXi 8.0, I was only able to establish an SSH connection using the Ed25519 key pair after disabling the <code>FipsMode no<\/code> option in <strong>\/etc\/ssh\/sshd_config<\/strong>.<\/div>\n<p>To generate Ed25519 keys (<em>id_ed25519<\/em> and <em>id_ed25519.pub<\/em>), run:<\/p>\n<p><code>ssh-keygen -t ed25519<\/code><\/p>\n<p>The utility creates two files in the current user\u2019s profile directory (%USERPROFILE%.ssh):<\/p>\n<ul>\n<li><strong>id_rsa<\/strong> \u2013 private key<\/li>\n<li><strong>id_rsa.pub<\/strong> \u2013 public (open) key<\/li>\n<\/ul>\n<p>If you are using the Puttygen tool to generate keys, you will need to export them in OpenSSH format.<\/p>\n<p>Copy the public key (id_rsa.pub) from your computer to the VMware ESXi host This key must be added to the file <code>\/etc\/ssh\/keys-$USER\/authorized_keys<\/code>. If this is a key for the root user, the path to the file will be as follows: <code>\/etc\/ssh\/keys-root\/authorized_keys<\/code>.<\/p>\n<p>Connect to the <a href=\"https:\/\/woshub.com\/enable-ssh-vmware-esxi\/\" target=\"_blank\" rel=\"nofollow noopener\">ESXi server using SSH<\/a>.<\/p>\n<p>You can edit the file manually (you can store multiple keys in one file) or add it to the ESXi server by using the PowerShell command:<\/p>\n<p><code>cat c:usersadmin.sshid_rsa.pub | ssh <a href=\"\/cdn-cgi\/l\/email-protection\" target=\"_blank\" rel=\"nofollow noopener\">[email\u00a0protected]<\/a> 'cat &gt;&gt; \/etc\/ssh\/keys-root\/authorized_keys'<\/code><\/p>\n<p>The \/<strong>etc\/ssh\/sshd_config<\/strong> file contains the OpenSSH server on the ESXi host.<\/p>\n<p>Use this option to enable or disable root access:<\/p>\n<pre>PermitRootLogin yes<\/pre>\n<p>Disable SSH password logins:<\/p>\n<pre>ChallengeResponseAuthentication no<\/pre>\n<p>KbdInteractiveAuthentication no<\/p>\n<p>PasswordAuthentication no<\/p>\n<p>Restart the SSH server on ESXi:<\/p>\n<p><code># \/etc\/init.d\/SSH restart<\/code><\/p>\n<div>You can also use <strong>VMware Host Profiles<\/strong> to deploy open SSH keys to ESXi hosts (Security Configuration -&gt; SSH authorized key for root user -&gt; Add public key)<\/div>\n<div><\/div>\n<p>You can now connect to the ESXi host without a password using the private key. On Windows computers with ssh-agent enabled, the private key from the user profile is automatically used when connecting to the host:<\/p>\n<p><code>ssh <a href=\"\/cdn-cgi\/l\/email-protection\" target=\"_blank\" rel=\"nofollow noopener\">[email\u00a0protected]<\/a><\/code><\/p>\n<p>You can also use the -i parameter to specify the path to the private key:<\/p>\n<p><code>ssh <a href=\"\/cdn-cgi\/l\/email-protection\" target=\"_blank\" rel=\"nofollow noopener\">[email\u00a0protected]<\/a> -i \"C:Usersadministrator.sshid_rsa\"<\/code><\/p>\n<p>Now you can remotely run any command in the ESXi console. For example, shutdown a specific virtual machine:<\/p>\n<p><a href=\"\/cdn-cgi\/l\/email-protection\" target=\"_blank\" rel=\"nofollow noopener\">[command]<\/a><\/p>\n<p><code>ssh <a href=\"\/cdn-cgi\/l\/email-protection\" target=\"_blank\" rel=\"nofollow noopener\">[email\u00a0protected]<\/a> vim-cmd vmsvc\/power.shutdown VMID<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can set up SSH key-based authentication for logging into VMware ESXi hosts, bypassing the need for a username and password. This proves beneficial for managed remote access to an ESXi host via external script usage (such as triggering a shutdown command for ESXi during a UPS power outage event), or when you need to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":9463,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[141],"tags":[],"class_list":["post-9462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vmware"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=9462"}],"version-history":[{"count":2,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9462\/revisions"}],"predecessor-version":[{"id":10328,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9462\/revisions\/10328"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/9463"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=9462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=9462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=9462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}