Main menu

VSICM51 - Slide 02-46 - Configuring ESXi: root Access



1. Wrong

When describing root access to the DCUI, slide notes state:

If you do not set a root password, you will be unable to log in to the ESXi host with the vSphere Client.
1. Correct

The root user will be allowed to login on the ESXi host even if no password has been set (that is, password is still blank). Yet, a "Configuration Issues" alert message will be displayed on the ESXi host Summary tab, reminding you that "The default password for the root user has not been changed".



2. Room for improvement

It is possible to change the default password complexity.

2. Info

In the "vSphere Security" guide - "Best Practices for Virtual Machine and Host Security" chapter - "Host Password Strength and Complexity" paragraph you read:

By default, ESXi uses the pam_passwdqc.so plug-in to set the rules that users must observe when creating passwords and to check password strength. The pam_passwdqc.so plug-in lets you determine the basic standards that all passwords must meet. A valid password should contain a combination of as many character classes as possible. Character classes include lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.
2. Source

vSphere 5.1 Documentation Center.



3. Room for improvement

The description of the lockdown mode is still somehow too vague.

3.a. Info

In the "vSphere Security" guide - "Lockdown Mode" chapter you read:

To increase the security of your ESXi hosts, you can put them in lockdown mode. When you enable lockdown mode, no users other than vpxuser have authentication permissions, nor can they perform operations against the host directly. Lockdown mode forces all operations to be performed through vCenter Server.
When a host is in lockdown mode, you cannot run vSphere CLI commands from an administration server, from a script, or from vMA against the host. External software or management tools might not be able to retrieve or modify information from the ESXi host.
Note: Users with the DCUI Access privilege are authorized to log in to the Direct Console User Interface (DCUI) when lockdown mode is enabled. When you disable lockdown mode using the DCUI, all users with the DCUI Access privilege are granted the Administrator role on the host. You grant the DCUI Access privilege in Advanced Settings.
Note: If you enable or disable lockdown mode using the Direct Console User Interface (DCUI), permissions for users and groups on the host are discarded. To preserve these permissions, you must enable and disable lockdown mode using the vSphere Client connected to vCenter Server.
3.a. Source

vSphere 5.1 Documentation Center.


3.b. Info

In the "vSphere Security" guide - "Best Practices for Virtual Machine and Host Security" chapter - "Limit DCUI Access in Lockdown Mode" paragraph you read:

In versions of vSphere earlier than vSphere 5.1, the root user can log into the Direct Console User Interface (DCUI) on a host that is in lockdown mode. In vSphere 5.1, you can specify which local ESXi users are allowed to log into the DCUI when the host is in lockdown mode. Specifying users other than the anonymous root user allows you to log which users have performed operations on the host while it is in lockdown mode.
By default, the root user is specified. You can remove root from the list of DCUI access users, as long as you specified at least one other user.
Source

vSphere 5.1 Documentation Center.


Last modified onThursday, 12 December 2013 19:27
Rate this item
(0 votes)
back to top