Cloud, DevOps, Evangelism

Using SSH in ESXi (Password-Less)

Looking into this, its a little funny - you can SSH into ESXi, but not out.  Dropbear has the ability to create a valid keypair, but theres no actual ssh binary in ESXi.  However, you can make it happen.

1) "Create" an ssh symlink to dropbear:

ln -s /sbin/dropbearmulti /bin/ssh

This works because dropbearmulti is a multicall binary, which allows it to change behavior depending on how you execute it.

2) Create a keypair:

dropbearkey -t dss -f privatekeyfile -s 1024

Why 1024?  Because thats the only keylength supported by DSS keys!.  You'll end up with a file in the current directory called 'privatekeyfile' and the system will output a public key in SSH format on the screen:

~ # dropbearkey -t dss -f private -s 1024

Will output 1024 bit dss secret key to 'private'

Generating key, this may take a while...

Public key portion is:

ssh-dss AAAAB3NzaC1kc3MAAACBAJbXscSKNxkxs3NYfMgMLs8tsh3iio9vFN3fzq8/5HrsgcGK3gHc+SQlLmhtP...hostname.domain

Copy all the lines of this starting from "ssh-dss" through to the end of "hostname.domain" to your clipboard.

3) Add this copied public key to your Linux host in the right location - usually ~/.ssh/authorized_keys:

linuxhost% cat .ssh/authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBANPYWCXvqAVK95Xa0qM1rUPM7h2CWB85d2Qk3paYsRU6x....

4) Now use the private key to make sure that it works from ESXi:

~ # ssh -i privatekeyfile username@domain.lan

Last login: Tue Apr 12 15:01:15 2011 from domain.lan
[user@host] (Linux 2.6.18-194.26.1.el5)%

Life is good!