Windows OS Hub / Virtualization / VMWare / Set up SSH Key-Based Authentication on VMware ESXi

April 11, 2024 VMWare

Set up SSH Key-Based Authentication on VMware ESXi

You can configure SSH key-based authentication to log in to VMware ESXi hosts instead of using a username and password pair. This can be useful if you need to remotely manage an ESXi host using external scripts (for example, to send a shutdown command to ESXi on a power outage event on UPS), or if you need to manage VMware ESXi hosts with Ansible.

Generate private and public keys on the administrator’s computer. Use RSA keys with a minimum length of 4096 bits. To generate a 4096-length RSA key pair on Windows, run the command

ssh-keygen -t rsa -b 4096

Learn more about SSH key-based auth on Windows.

ssh-keygen: generate key pair

It is recommended to use the Ed25519 protocol instead of RSA keys in new OpenSSH builds (use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto). In ESXi 8.0, I was only able to establish an SSH connection using the Ed25519 key pair after disabling the FipsMode no option in /etc/ssh/sshd_config.

To generate Ed25519 keys (id_ed25519 and id_ed25519.pub), run:

ssh-keygen -t ed25519

The utility creates two files in the current user’s profile directory (%USERPROFILE%\.ssh):

  • id_rsa – private key
  • id_rsa.pub – public (open) key
If you are using the Puttygen tool to generate keys, you will need to export them in OpenSSH format.

Copy the public key (id_rsa.pub) from your computer to the VMware ESXi host This key must be added to the file /etc/ssh/keys-$USER/authorized_keys. If this is a key for the root user, the path to the file will be as follows: /etc/ssh/keys-root/authorized_keys.

Connect to the ESXi server using SSH.

You can edit the file manually (you can store multiple keys in one file) or add it to the ESXi server by using the PowerShell command:

cat c:\users\admin\.ssh\id_rsa.pub | ssh [email protected] 'cat >> /etc/ssh/keys-root/authorized_keys'

Copy public key to authorized_keys on VMware ESXi

The /etc/ssh/sshd_config file contains the OpenSSH server on the ESXi host.

Use this option to enable or disable root access:

PermitRootLogin yes

Turn off SSH password logins:

ChallengeResponseAuthentication no # deprecated
KbdInteractiveAuthentication no
PasswordAuthentication no

disable keyboard-interactive SSH login in VMware ESXi

Restart SSH server on ESXi:

# /etc/init.d/SSH restart

You can also use VMware Host Profiles to deploy open SSH keys to ESXi hosts (Security Configuration -> SSH authorized key for root user -> Add public key)

VMware Host Profiles: Add public key

You can now connect to the ESXi host without a password using the private key. On Windows computers with ssh-agent enabled, the private key from the user profile is automatically used when connecting to the host:

ssh [email protected]

Log into a ESXi using SSH key

You can also use the -i parameter to specify the path to the private key:

ssh [email protected] -i "C:\Users\administrator\.ssh\id_rsa"

Now you can remotely run any command in the ESXi console. For example, shutdown a specific virtual machine:

ssh [email protected] vim-cmd vmsvc/power.shutdown VMID

0 comment
1
Facebook Twitter Google + Pinterest

Related Reading

How to Migrate (Import) VMs from VMware ESXi...

July 24, 2024

Adding ESXi Host to VMware vCenter Server (vCSA)

March 4, 2024

How to Enable Copy and Paste for a...

January 23, 2024

How to Create a Virtual Machine on VMWare...

January 10, 2024

Managing VMware Infrastructure with Ansible

December 11, 2023

Leave a Comment