VMware Security best practices are to not allow PermitRootLogin to an ESX host.
I could not SSH into a newly provisioned host. The server would not allow root login (rightfully so), and my domain account could not log in either.
This is how I solved the issue.
- Logged into the ESX host directly with the vSphere Client.
- Created a new user with SSH access to the host.
- Logged in to the host and found what the problem was time skew.
Here is the error from /var/log/secure:
Jan 9 09:52:36 ilesxdmz1 sshd: pam_krb5: authentication fails for 'msaidelk' (email@example.com): Authentication failure (Clock skew too great)
- Fixed the time issue.
- Test SSH access with my domain account - Success.
- Removed the temporary account.
The full how-to including video - is in the KB above.
And a bit of PowerCLI to create (and remove) the user, instead of having to open up the GUI.
New-VMHostAccount -Server esx1.maishsk.local -Id maish -Password "a:123456" -UserAccount -GrantShellAccess:$true -AssignGroups root #And remove afterwards Get-VMHostAccount -Server esx1.maishsk.local -Id maish | Remove-VMHostAccount -confirm:$false