Users need to configure USB passthrough for hardware security tokens in a VMware ESXi environment to enable authentication within virtual machines. This configuration requires specific host settings and VM configurations to ensure proper device recognition and functionality. This can be used for a variety of hardware security tokens, including YubiKey, RSA SecurID, and more.
- VMware ESXi host
- Virtual Machine(s) with USB 3.0 or newer controllers
- Hardware security token compatible with USB interface
- ESXi license that supports USB passthrough for smart card readers
Hardware security tokens require specific USB passthrough configuration at both the ESXi host and virtual machine levels to function properly. Default configurations may not recognize these devices correctly.
Stage 1: Identify Device Information
lsusb
`Bus XXX Device XXX: ID VVVV:PPPP Manufacturer.name Device.name`
VVVV
represents the vendor ID (e.g., 1050
)PPPP
represents the product ID (e.g., 0404
)Bus 004 Device 002: ID 1050:0404 Yubico.com Yubikey 4 CCID
Stage 2: Configure ESXi Host Recognition
esxcli system module list | grep vmkusb
esxcli system module load -m vmkusb # If not already loaded
/etc/vmware/config
and add:
usb.quirks.device0 = "0xVVVV:0xPPPP allow"
VVVV:PPPP
with your device's vendor and product IDs from Step 1/bootbank/boot.cfg
, adding to kernelopt
line:
CONFIG./USB/quirks=0xVVVV:0xPPPP::0xffff:UQ_KBD_IGNORE
VVVV:PPPP
with the same IDs used aboveesxcli hardware usb passthrough device list
Stage 3: Configure Virtual Machine USB Passthrough
usb.generic.allowCCID = "TRUE"
usb.quirks.device0 = "0xVVVV:0xPPPP allow"
/etc/init.d/pcscd stop