Hey guys,
I'm currently trying to set up ssh using shared keys. Here's what I've done:
On Server:
- Enabled ssh through the F2 -> Troubleshooting Options menu
- created a ~/.ssh directory
On desktop:
- ran 'ssh-keygen -f id_dsa
- copied to ESXi server using: scp id_dsa.pub user@esxhost:~/.ssh/mykey.pub
On Server:
- cat ~/.ssh/mykey.pub >> ~/.ssh/authorized_keys
When I ssh to the ESXi server, it still prompts for passwords. All of the tutorials I have read have been for older versions of ESXi where you have to enable ssh through inetd.conf (my inetd.conf is empty). I'm wondering if there's anything different I should be doing? As far as I can tell, I've done the keys part correctly.
Any advice would be greatly appreciated.
you still need to validate who you are.. I wouldn't trust logging in without a prompt, that wouldn't be wise.
Besides there are tools like bitvise that can save the password, so when you create sessions it will login automatically (at least you can password protect your sessions).. I don't think putty can do this.
The validation is done through the certificates, you generate a public and private certificate pair, copy the public one to the server you wish to login to without prompt and when you attempt to authenticate, the server checks your public key against the private key generated at the same time.
If you don't already have a certificate on the server, then you need to have the ability to get your certificate copied to it -- either through an administrator, or by password.
so that tool I posted, it doesn't require authentication once you save the session information, wouldn't that amount to the same thing?
your goal is to simply connect without getting prompted for password ....
It's the same thing except that I have tools I use that employ key auth (i.e. I don't need another app to do auth for me). Since key auth worked on previous versions of ESXi, I was hoping to get it going for 5.
nodice wrote:
It's the same thing except that I have tools I use that employ key auth (i.e. I don't need another app to do auth for me). Since key auth worked on previous versions of ESXi, I was hoping to get it going for 5.
OK, good point. It should work, but since I never had a need for this, I didn't realize 5 wasn't working. Hopefully someone else will have an answer for you.
For ssh logins to use the keys as you wish...
On Server:
- cat ~/.ssh/mykey.pub >> /etc/ssh/keys-root-/authorized_keys
chmod 600 /etc/ssh/keys-root-/authorized_keys
Once you have done the steps you listed and this step, you should be able
to ssh login (and scp or rsync) without being challenged for a password.
Hope this helps.
Joe
I know, old thread, but couple points:
In Joe's solution above, the extra dash (-) after root shouldn't be there. The location of key files is determined by the following entry in sshd_config:
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
%u is a variable for username.
Also, the vSphere security guide offers https put and the vMA vifs command as ways to put user keys on ESXi.
Hoep this helps!
If the key trust is established is anything else required to be prompted for the key phrase?
Just ssh <ESXi host> ?
If the key trust is established then you should just be able to ssh <ESXi box> and you will be logged in without prompt.