Category Archive: IT

Apr 07

Authorized Keys and ESXi 6.0 Update 2 – Changes to OpenSSH

sshWilliam Lam brought up some feedback on Socialcast the other day. The story was of a customer who updated to ESXi 6.0 Update 2 and the SSH keys he was using no longer worked. The customer was advocating for changing the file /etc/sshd_config so that he could continue to use the keys on his ESXi server. IMHO, that’s the wrong course of action.

ESXi 6.0 Update 2 has shipped with an updated version of OpenSSH. The version has been updated to 7.1p1. One of the major changes in this release is the disablement of “ssh-dss” and “ssh-dss-cert-*” (a.k.a DSA) keys. They have also announced the future deprecation of legacy cryptography. I urge you to read more about these changes as they may impact you in other places in your infrastructure.

Now, the customer had added dss keys to the /etc/authorized_keys file so that he could easily log into his ESXi system. Ok, I get that. Adding authorized keys is a supported configuration outlined in this KB.

What happened is that now that ESXi 6.0 U2 is running the new OpenSSH bits his SSH connections were refused. This is expected behavior! This issue could be remediated by generating new keys using RSA keys. As I said above, that is the wrong course of action. You put your ESXi host at risk for convenience?

Please don’t bring up the “but DSA keys are faster/less overhead/etc” argument. I’m pretty darned sure that OpenSSH is using AES-NI instructions (I looked) that are plenty fast for a simple SSH session. Performance is no longer an excuse to use less security! It’s 2016.

Bottom line, if you are using Authorized Keys on your ESXi server and they were generated with DSA keys, it’s time to be proactive and re-generate them with RSA keys.

Final note: Limit who can log into your ESXi host. Only those you trust the most should have access. If you are logging in to “run scripts and stuff” (as many customers tell me they do) then you might want to look into using tools like the vSphere API and scripting tools like PowerCLI or Python.

If you have something you CAN’T do via API or scripting, please let us know! Reply here or send email.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Jan 26

Making Security Easier – An ESXi Fling for US Federal Customers

Running systems in the US Federal Government presents its own unique challenges. From specific system login requirements (CAC/PIV smart cards) to specific regulations like DISA STIG’s, managing systems in this environment comes with a healthy dose of security. Today we’re taking a small step towards making that easier with the introduction of a VMware Fling for ESXi targeting the DISA STIG standards.

DISA STIG

Many of the requirements of a STIG come from years of operational experience with other operating systems. Even though ESXi isn’t Linux, there are some common tools that have specific settings requirements that need to be met by the STIG. This VIB simplifies this process and does it in a more secure manner.

Read the rest of this entry »

Mar 13

vSphere 6.0 Lockdown Modes

Lockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.

Read the rest of this entry »

Older posts «