Host Profile SSH Key Non-Compliance Alert even though SSH keys are not configured
search cancel

Host Profile SSH Key Non-Compliance Alert even though SSH keys are not configured

book

Article ID: 400693

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0

Issue/Introduction

Observed Behavior

When applying a host profile created on an earlier version of vSphere (e.g., vSphere 7.0U3) to ESXi hosts running 8.0U3, a non-compliance error may be triggered, specifically related to SSH key settings.

Details

  • The host profile compliance check reports the following alert:

    Security Settings > SSH Key – "SSH Public Key on Host: SSH public key not present in profile for root."

  • SSH is configured to use password-based authentication only on the host.

  • This configuration was validated by checking the /etc/ssh/sshd_config file on the ESXi host.

  • Reference:Allowing SSH access to VMware vSphere ESXi/ESX hosts with public/private key authentication.

  • No SSH public keys are defined in the host profile configuration.

  • This alert appears to be a false positive, likely due to host profile compatibility issues between different vSphere versions.

Environment

VMware vSphere ESXi 7.x
VMware vSphere ESXi 8.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

This issue is suspected to stem from a compatibility mismatch between host profile versions. Specifically, the host profile was originally created in vSphere 7.0U3, while the ESXi hosts have since been upgraded to version 8.0U3.

Due to changes in how SSH security settings are handled in newer ESXi versions, the legacy host profile may misinterpret the current configuration, particularly related to SSH public key settings. As a result, the system may incorrectly report a false non-compliance alert stating:

"SSH public key not present in profile for root."

This alert appears even when SSH is correctly configured for password-based authentication and no public keys are expected or defined in the host profile.

Resolution

To resolve the SSH key non-compliance alert and ensure host profile compatibility after upgrading to ESXi 8.0U3, follow these steps:

  1. Select a compliant host from the cluster that is in the desired state and functioning correctly post-upgrade.

  2. Create a new host profile from the selected healthy host using the vSphere Client:
    Refer to the official guide for creating host profiles:
    Create a Host Profile

  3. Attach and apply the newly created host profile to all hosts within the cluster.

  4. Remediate any remaining non-compliance alerts that appear after applying the new profile.

Powered by Wolken Software