There are numerous posts about how to use Active Directory to authenticate your ssh logins to your ESX servers.
Jason Boche,Travis Laird, Geert Baeke
The idea is pretty simple
- Configure the ESX server with esxcfg-auth as in the above posts
- Add the desired users locally on your ESX Server
- Login away
But….
Once this is enabled all authentication will be done against Active directory – INCLUDING THE root USER
Jason mentioned this on his post
Warning: One thing to watch out for would the existance of a root account in AD in which you are not the owner of. By implementing AD authentication, a root account in AD is going to be granted root level Service Console access on the ESX host! Take the necessary precautions here.
Travis did as well and provided a solution as well
If you are not using root login through SSH and you want to exclude the root user login from attempting Active Directory authentication, modify the /etc/pam.d/system-auth file and add the parameter minimum_uid=1 to the following line so it reads:
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=1
Geert as well..
A couple of other things to think of:
- If you create a user in AD with account name root, you can logon as root with its AD password.
- If you don't want AD authentication for root, you can edit /etc/pam.d/system-auth. On the line that starts with auth and also includes pam_krb5.so, add this to the end: minimum_uid=1. Authentication for root (uid=0) will now be done locally only.
Now of course ssh login is disabled for root. But when trying to login I saw in the logs /var/log/secure that root was trying to authenticate against the domain.
Feb 17 10:32:08 esx2 sshd[5838]: pam_krb5[5838]: authentication fails for 'root' (root@MAISHK.LOCAL): User not known to the underlying authentication module (Clients credentials have been revoked)
(the root account exists in the domain, but is disabled)
So I wanted to add the solution as published above.
These are the contents of the /etc/pam.d/system-auth file
#%PAM-1.0
account required pam_per_user.so /etc/pam.d/login.map
auth required pam_per_user.so /etc/pam.d/login.map
password required pam_per_user.so /etc/pam.d/login.map
session required pam_per_user.so /etc/pam.d/login.map
As you can see, no auth sufficient or /lib/security/$ISA/pam_krb5.so in the file…
Hmmmmm….
So I gather that this has changed for ESX 4.0, session pointed to /etc/pam.d/login.map
These are the contents of the /etc/pam.d/login.map file
vpxuser : system-auth-local
* : system-auth-generic
OK. so all users except vpxuser are pointed to /etc/pam.d/system-auth-generic
These are the contents of the /etc/pam.d/system-auth-generic file
#%PAM-1.0
# Autogenerated by esxcfg-auth
account sufficient /lib/security/$ISA/pam_krb5.so
account required pam_unix.so
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required pam_deny.so
password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0
password sufficient pam_unix.so try_first_pass use_authtok nullok shadow md5
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session sufficient /lib/security/$ISA/pam_krb5.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Yep! There it is!
So added the minimum_uid=1 to the file
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=1
Feb 17 10:58:51 ilesx2 sshd[11906]: pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=msaidelk-server.xxx.xxxx.com user=root
And now I see in the log when logging in as root the authentication is
pam_unix(system-auth-generic:auth) and not pam_krb5
My Active Directory Authentication process is complete!!
Update:
Thanks to Armin van Lieshout for pointing this out to me. you can do this all with the command line as well esxcfg-auth --enforce-local-auth=root
This will force local authentication for the defined user