October 26 2009
Vsphere VCP-410 Lab 8 part 1
Exam Objective: Configure Service Console availability
Contents
• Introduction
• Technology Background
• Lab Scenario
• Lab Objectives
• Lab Solution
Introduction
www.certifyme.com
The program SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities (rlogin, rsh, rcp,
and rdist). It provides an encrypted channel for logging into another computer over a network, executing
commands on a remote computer, and moving files from one computer to another. SSH provides strong host-tohost
and user authentication as well as secure encrypted communications over an insecure Internet.
SSH2 is a more secure, efficient, and portable version of SSH that includes SFTP, which is functionally similar
to FTP, but is SSH2 encrypted.
When connecting to a server for the first time SSH presents you with a host key fingerprint for that server and
asks you to confirm that you wish to save the new host key to the local database. Before agreeing, you should
compare this fingerprint with one you obtain by some other means (e.g., by telephone) from the server
administrators to avoid connecting to an imposter server.
Rather than validating identities via passwords, SSH can also use public key encryption to authenticate remote
hosts. For example, if you were to connect to a remote host called sales.acme.com (also running SSH), SSH
would use this system to verify that the remote system is the real sales.acme.com and not a computer set up to
imitate it. If you wish, you can set up SSH to use public key authentication rather than passwords for logging
into your other accounts, much like the ESX login program.
Technology Background
In ESX 4.0 SSH is blocked by default for the root user so you need to activate the root login on the console of
the ESX server. Otherwise you will not be able to use PuTTy or or VEEAM FastSCP. Same is the case with
ESXi. Although, both of the ESX versions come with SSH support, they are disabled by default which generally
means either root user must authenticate as a standard user and then SU to root or log in directly from the
console.
Through commands, you can enable SSH on ESX and ESXi consoles.
You might need SSH in ESX to login remotely to the console without needing to go physically to the computer
to configure or maintain it. You ca use Putty to log in remotely to the ESX/ESXi hosts. You can use SSH
directly to log in to the console without specifying the username and password.
Deny SSH access to all but specific IP addresses
You can configure /etc/hosts.allow with 3 specific IP addresses that can SSH to the ESX hosts in the cluster.
You should also configure /etc/hosts.deny with sshd:all which means all other IP addresses not configured in
the hosts.allow files will not be able to access the host and fail with an error “session terminated unexpectedly”
Only users in the WHEEL group can SU to Root
If the sshd_config file is configured with Permit Root Login = no option, then ROOT is not able to login to
the service console remotely e.g. via Putty. We can also take additional steps and limit which standard users can
SU to root by changing the /etc/pam.d/su file and then adding only specific users to the wheel group. Here’s
what you’ll need to do:
vi /etc/pam.d/su
www.certifyme.com
Then delete the following line
#auth required /lib/security/$ISA/pam_wheel.so use_uid
Once you have done that, you can now go and look at which users are part of the WHEEL group.
cat /etc/group |grep wheel
which should return this comment “wheel:x:10:root”
Now if your standard user is called johnsmith, just add a comma and add johnsmith so it looks like this.
“wheel:x:10:root,johnsmith”
Now you can add users to the service console, but only user “johnsmith” will be able to SU to root
