Assigning an SSH public key to ESXi 8.0 using a host profile results in key-based SSH authentication failing
Article ID: 326278
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- An SSH public key is configured in the host profile branch Security and Services > Security Settings > Security > User Configuration > root
- The key string has the correct format:
from="1.2.3.4" ssh-rsa <hash> - however, after successful profile remediation:
- the ESXi host keeps being reported as non-compliant for the key in the profile not matching the one on the host
- SSH login attempts using the key are failing
Environment
VMware vSphere ESXi 8.0
VMware vSphere ESXi 8.0.x
VMware vCenter Server 8.0.x
VMware vSphere ESXi 8.0.x
VMware vCenter Server 8.0.x
Cause
This is caused by the ESXi host profile engine not properly escaping the double quotes around the source IP address that is part of the string, so when adding the key string to /etc/ssh/keys-root/authorized_keys these end up being removed. The SSH server component of the ESXi however requires the source IP to be enclosed by double quotes, hence any SSH login attempts using the key are resulting in a failure.
Resolution
Currently there is no resolution. VMware engineering is aware of the issue and is working on a fix.
Please subscribe to this article for being informed as soon as a fix has been made publicly available
Workaround:
To work around this issue, you can use the following steps:
At this stage, the entry for the key string in /etc/ssh/keys-root/authorized_keys now has the correct format, and keybased SSH authentication can be used. However, the host will be non-compliant to the host profile.
To make it compliant, please continue:
Please subscribe to this article for being informed as soon as a fix has been made publicly available
Workaround:
To work around this issue, you can use the following steps:
- Edit the host profile and add a backslash (\) iin front of each of the 2 double quotes, so they are properly being escaped, so in Security and Services > Security Settings > Security > User Configuration > root instead of:
from="1.2.3.4" ssh-rsa <hash>use:from=\"1.2.3.4\" ssh-rsa <hash> - Remediate the host(s) against the host profile.
At this stage, the entry for the key string in /etc/ssh/keys-root/authorized_keys now has the correct format, and keybased SSH authentication can be used. However, the host will be non-compliant to the host profile.
To make it compliant, please continue:
- Edit the host profile again, and remove the 2 backslash characters (/) that were added in step 1, back from:
from=\"1.2.3.4\" ssh-rsa <hash>to:from="1.2.3.4" ssh-rsa <hash> - Do another compliance scan of the host against the profile. Now it is compliant.
Feedback
Yes
No
Powered by
