Posted by: Eric Siebert
Eric Siebert, SSH, user accounts, VMware ESX
By default, ESX hosts do not allow you to log in to the Service Console using the root user account via SSH. This is done for security purposes as the root account should generally not be used because it is a superuser account. It is possible to enable this by changing a configuration file, but this is not recommended. An alternative to this is to create a separate user account on the ESX Service Console that you could use to connect to it using SSH, and than use the su command (grants root privileges to a user) to elevate your privileges. To do this, follow the below steps:
1. First, create an account on the ESX host. This can be done in two ways, either by using the service console command line or by using the VMware Infrastructure Client (VI Client). To create an account using the command line, log into the ESX host as the root account and then type the following commands:
useradd – creates the user account
passwd – sets the password for the user account
To create an account using the VI Client, you need to connect directly to the ESX host with the VI Client (not vCenter Server) and log in is the root user. Next click on the Users & Groups tab, right-click inside the users pane and select Add. Enter a log-in name and password and check the Grant Shell Access To This User box. If you want to enter a descriptive name you can enter one in the username field; this name is not used for logging in. The UID field will automatically populate when you save the account. Once you are done, click the OK button and that’s it.
2. Now that we have our new account set up, we are ready to start using it. Let’s connect to the ESX host with a client like Veeam’s FastSCP, which allows you to elevate your privilege’s using su after you connect to a host. Run FastSCP and select Add a Server, enter the IP address of the server and select the ESX host option. At the Connection Settings screen enter the username/password for the new user that you created in the previous step. In the bottom section select the Elevate Account to Root option and enter the root user account password. At the Web Service credentials screen you can use the root user and password, as this is not used for connecting to SSH.
3. Once you connect to the host, you are using the user account you created earlier instead of the root account.
Please resist the urge to enable root SSH logins on your ESX hosts set up separate accounts for this purpose instead. It’s a security best practice to not use the root account for anything. Instead, use the su command or set up sudo; I’ll cover both methods in an upcoming tip on SearchVMware.com.