Help
Minimizing access to critical resources is standard practice when securing any system. In this excerpt from Ryan Troy & Matthew Helmke's VMware Cookbook you'll learn how to allow or deny users the use of SSH.
If you want to control which users can access your ESX Server via SSH, configure individual account permissions to allow or deny SSH access to specific users.
For security, it is generally better to create an individual account for each user and to avoid allowing multiple users to have access to the root account. This allows actions to be connected to the people performing them and is especially important for tracking problems in case an administrator “goes rogue.” However, this approach does mean that you have to figure out how to allow these individual accounts to access the server securely.
By using the configuration options built into your SSH server,
you can allow specific users to access your ESX Server directly, via
SSH. To accomplish this, edit the SSH configuration file, located at
/etc/ssh/sshd_config. Look for the line that says
AllowUsers. If
this line is commented out with a #, remove the # sign. If you do not see a line containing
this information, make a new line like the example below, making sure
to change the usernames according to your needs.
In this example entry, we allow tom, chris, bob and any user whose username starts with the word sysadmin to have SSH access:
AllowUsers tom chris bob sysadmin*
Once you are satisfied, save the configuration (by pressing the
:wq! keys in
vi). At the command line, restart the
sshd daemon to make your configuration changes
take effect. To do this, enter either this command:
/etc/init.d/sshd restart
or this one:
service sshd restart
You can also deny specific users permission to access your ESX
Server directly with SSH. To do this, look for a line in the /etc/ssh/sshd_config file that says
DenyUsers. If it is commented out
with a #, remove the # sign. If you do not see a line containing
this information, make a new line similar to the one below,
remembering to change the usernames according to your needs.
In this example, we deny access to george, todd, tim, and any user whose username starts with b:
DenyUsers george todd tim b*
Keep in mind when using the *
wildcard character that, in our example, a user named
bob would be denied access even if he is listed
in the AllowUsers line like this
(that is, the deny rules take precedence over the allow rules):
AllowUsers tom chris bob sysadmin*
Save the file and restart the daemon as before.
The users who have been denied will be barred from logging into
the system via SSH, and any login attempts they make will show up in
the /var/log/messages
file.
This book provides a look into real-world use of VMware ESX and ESXi, with step-by-step solutions for problems that occur in a wide range of environments. Written by experts with experience using VMware in a production environment, VMware Cookbook shares tips and tricks earned through trial and error, and supplies the background information you need to apply them.
