Access ESX Host When Root Login is Disabled

VMware Security best practices are to not allow PermitRootLogin to an ESX host.

Enabling root SSH login on an ESX host.

I could not SSH into a newly provisioned host. The server would not allow root login (rightfully so), and my domain account could not log in either.

This is how I solved the issue.

  1. Logged into the ESX host directly with the vSphere Client.
  2. Created a new user with SSH access to the host.
  3. Logged in to the host and found what the problem was time skew.

    Here is the error from /var/log/secure:

    Jan  9 09:52:36 ilesxdmz1 sshd[18263]: pam_krb5[18263]: authentication fails for 'msaidelk' (msaidelk@maishsk.local): Authentication failure (Clock skew too great)
  4. Fixed the time issue.
  5. Test SSH access with my domain account - Success.
  6. Removed the temporary account.

The full how-to including video - is in the KB above.

And a bit of PowerCLI to create (and remove) the user, instead of having to open up the GUI.

New-VMHostAccount -Server esx1.maishsk.local -Id maish -Password "a:123456" -UserAccount -GrantShellAccess:$true -AssignGroups root

#And remove afterwards

Get-VMHostAccount -Server esx1.maishsk.local -Id maish | Remove-VMHostAccount -confirm:$false