The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Search the VMware Knowledge Base (KB)
View by Article ID
Restricting User Authentication and Security Settings (1010027)
Purpose
This article provides information about restricting user authentication and security settings.
Resolution
It is important to restrict user authentication and security settings so that you can tell what users performed what actions.
Controlling SSH remote root log in access
In ESX 3.x hosts, SSH remote root log in access is disabled by default. If you allow SSH remote root logins to an ESX host service console, you can track where the access to the root account was initiated from, but you cannot track who logged into the root account or which commands were executed. VMware therefore recommends that you restrict SSH remote root logins.
SSH remote root login is controlled by the PermitRootLoginparameter in the/etc/ssh/sshd_configfile. To restrict SSH remote logins completely, set the PermitRootLogin parameter to no.
To allow or deny SSH remote root login for specific users, add the users to the AllowUsers and DenyUsers parameter in the /etc/ssh/sshd_config file.
For example:
AllowUsers msmith johnd jdoe user*
DenyUsers cclark bbarker user11 gue*
Using the su command
By default all users can use the switch user (su) command. However, the user issuing the command must know the password of the account to which they are switching. Commands executed as root are not logged, but all attempts to use the su command to login (whether successful or not) are logged.
To restrict who can use the su command, configure the wheel group in the /etc/group file. A dd the appropriate users to the wheel group using either the VMware Infrastructure (VI) Client or a command line to modify the /etc/group file. Users assigned to the wheel group can use the su command.
To enable wheel group authentication using a command line, remove the comment from this line in the /etc/pam.d/su file:
Users in the wheel group now have to enter the root password when switching to that account. Attempts to switch to the root account are logged in /var/log/messages.
Note: If you uncomment the line that starts with #auth sufficient... the user is not required to enter a password when switching to a new user. Uncommenting this line lowers the overall security of the ESX host service console.
Using the sudo command
The Sudo command allows a normal user to run commands with root privileges. The sudo command is installed but not configured in ESX hosts. Administrators can configure the commands that may be executed by users on a command-by-command and host-by-host basis. Sudo logs user activities in the /var/log/secure file. Using sudo to run root-privileged commands protects the root account because you do not have to give the root password to anyone.
In the /etc/sudoers file, use the text editor visudo to define which users and groups can or cannot run specific commands on which hosts.
Here is the syntax of the /etc/sudoers file:
<user or group> <host> = (<runas>) <command(s)>
Here is an example entry for the /etc/sudoers file:
test123 ALL = ALL
In this example, members of the test123 group can initiate any command on any host as root but will be prompted to enter a password.
Note: visudo protects the /etc/sudoers file against multiple simultaneous edits and checks the syntax of your entries.
Here is another example:
mike svresx3 = /usr/sbin/esxcfg-vmhbadevs
In this example, the user mike can run the command esxcfg-vmhbadevs as root on one specific host.
