When managing a VMware ESX host, most functions can be done via the VI Client. The VI Client offers an easy to use GUI interface for management and configuration of one or multiple ESX hosts. That said, there are times when connecting to the Service Console of the ESX host is required. Often times multiple administrators will login to the Service Console as the root (highest level access) user, making it difficult to know which administrator performed any task.
It is not recommended that all administrators connect to the ESX host as the root user. Further, as a security best practice connecting to the ESX host via SSH as the root user is restricted by default.
With these restrictions and best practices, how should Service Console access be managed on ESX hosts? In truth, ESX hosts are like all other servers and best practices for security and auditing should be followed – that is, all administrators that have to login to the ESX host should do so with their own account.
For administrators, managing multiple logins for different systems can be difficult and can lead to the use of weak or common passwords. To get around this issue with VMware ESX, administrators can enable Active Directory authentication which allows them to login with their domain credentials instead of a local Linux account.
The following steps must be completed on each ESX host in the environment in order to enable AD authentication:
Configure Active Directory Authentication on ESX
Connect to the ESX host as the root user. Issue the following command:
esxcfg-auth –enablead –addmoain=ActiveDirectoryDomain –addc=FQDN.of.domain.controller
For example, configuring AD authentication for Kraft Kennedy’s Research domain research.kraftkennedy.com with a domain controller named nyrdc01.research.kraftkennedy.com would look like the following:
esxcfg-auth –enablead –addomain=research.kraftkennedy.com –addc=nyrdc01.research.kraftkennedy.com
Additional domain controllers can be added via additional –addc command and should be done to provide some redundancy.
Create Linux accounts for each administrator that needs to connect to the ESX Service Console
To add the “admin.liebowitz” account to the ESX host, the command would be:
As administrators leave the organization, their accounts can be removed with the following command:
Once authenticated, if additional access is required the administrator can issue the following command to elevate to root level access:
Once the above steps have been completed, administrators can login to the ESX host via SSH using their AD credentials. This allows organizations to maintain best practices by restricting root level SSH access as well as makes it easier to see which administrators have logged into a particular server.