Welcome to this Tips & Tricks document for VMware ESX Server. All information in this document is provides as is. No warrantees can be given. If you would like to provide feedback on this document, please email to the_anykey@hotmail.com The plan is that this document will be updated continuously, so please check http://www.run-virtual.com for the latest version.

Under this section you will find useful settings you can make to your ESX server environment to limit certain access. Keep in mind, giving a user access to your ESX server to manage Virtual Machines, will also allow this user by default to create virtual machines, accidentally power-off virtual machine or do other ‘stupid’ things. This section will help you secure your server against these things. How-to: Give a user Remote Console access and nothing else. If you want a user to ONY have remote console access to your Virtual Machines, you need to lockdown several services for this user.

1. Restrict shell access To make sure a user can not login using Telnet or SSH you can change its default shell. This is configured in the /etc/passwd file. Change here the user’s shell from /bin/bash to /bin/false this will not allow the user to login anymore from any shell

2. Restrict access for the user to the MUI (The ESX Server Web interface) By default any user can login to the MUI and also create new Virtual Machines, which of course can give certain security dilemmas. To disable access for a specific user to the MUI you have to change the login.js file that is handling the login request of the website. Change file: /usr/lib/vmware-mui/apache/htdocs/vmware/src/login.js The part in bold is added to the file, to restrict access to the username richard

function validate() {
if (!document.u.v.value) {
alert("Please enter a username.");
document.u.v.focus();
return false;
}
if (document.u.v.value == "richard") {
alert("Piss off, you can only use the remote console");
document.u.v.focus();
return false;
}
return true;
}

Alternatively you can also just deny every user access to the mui, except for certain users. To do this, use the following example:

function validate() {
if (!document.u.v.value) {
alert("Please enter a username.");
document.u.v.focus();
return false;
}
if (document.u.v.value == "root") {
return true;
}
alert("Only root can login to the MUI");
document.u.v.focus();
return false;
}

In the remote console client you will find a button called Power-Off. This button is very dangerous, because it will kill your virtual machine directly without asking you is you really wanted this to happen. So if this is you production Virtual Machine, it will suddenly be byebye􀀯

There are 2 ways to protect your Virtual Machine from this.

1. Taking the permission away of change the power state of your VM. By default there are 3 groups of permissions you can set on your .vmx file: Read permission: Shows a user the VM Write permission: Allows a user to change the Virtual Machine Hardware Execute permission: Allows the user to Remote Console AND change the power state This default permission scheme does not allow you to separate the Remote Console permission from the Changing Power State permission. It is possible to change this permission scheme, by editing a file called /etc/vmware/config In this file add the following line (case sensitive!!):

authd.policy.AllowRCForRead = “TRUE”

After adding this line, you need to restart the VMware authentication engine. You can do this by typing the following command:

service xinetd restart

This will change the Remote Console permission to the Read group. So now giving a user ONLY read access to a virtual machine, will allow the user to Remote Console, but NOT change the power state. The Power-Off and Power-On button will be grayed out. Also it will not be possible to power on/off the virtual machine from the MUI.

2. Removing the power control bar from the remote console (Only with ESX remote console) It is possible to remove the power control bar from the remote console. The user can keep its right to change the power state, but will only be able to do this from the MUI and not anymore from the Remote Console client. To do this, edit the .vmx file of the virtual machine, and add the following line:

gui.restricted = “TRUE”

To make this work, you have to power-off the virtual machine first and close your remote console session; else the .vmx file will not be re-read. Now connecting to the remote console, you will see that that power change bar in the top has disappeared and all the power change functions in the drop down menus will be grayed out. You can also limit the amount of Remote Console sessions people can make to your virtual machine; you do this by adding the following into your .vmx file:

gui.maxconnections = “1”

With a default ESX 2.1 installation, you server will be set into High Security mode. This means users can only login using SSH (no telnet). The default setting of SSH does have a ‘bad’ thing. It allows users to directly login as the root user. Now if things go wrong, you can only tell that root did this, but who was root? To make sure you can trace back to a normal user, you can disable SSH to allow root to directly login. A user can then still su to root (switch user command) but this will now be logged. To enable this limitation in ssh, edit the file /etc/ssh/sshd_config

PermitRootLogin no

In this way you can also deny other users of group access to ssh

DenyUsers richard,henk
DenyGroup vmadmins

To make you change happen on-the-fly, you must restart the ssh deamon

service sshd restart
In your log file /var/log/messages you will now see when a user switches to root
[root@esx1 /]# tail -f /var/log/messages
Jul 15 14:12:38 esx1 kernel: smb_retry: successful, new pid=8258, generation=9
Jul 15 14:17:23 esx1 sshd(pam_unix)[15563]: authentication failure; logname= uid=0 euid=0
tty=NODEVssh ruser= rhost=10.42.1.10 user=richard
Jul 15 14:17:30 esx1 sshd(pam_unix)[15565]: session opened for user richard by (uid=500)
Jul 15 14:17:56 esx1 su(pam_unix)[15607]: session opened for user root by richard(uid=500)