vmware ESXi with SSH-ED25519 and valid TLS

Securing a vmware ESXi server with proper SSH and TLS encryption

vmware ESXi with SSH-ED25519 and valid TLS

Naturally you want to log in via SSH, and doing this without public key authentication would be just silly. To be able to do this, there are a few steps for you to take.

First, you enable the SSH authentication with the system boot. This is done via the web UI. Select your host in the UI and select Actions-> Services. In the services view you select TSM-SSH and then Actions-> Policy->Enable Service with System boot. You also have to enable it once for the current boot.

After ensuring that SSH is available after reboot, you sure want to deploy your shiny ed25519 public SSH key. This is done via console, so log into your server via SSH. Enter the following commands, they configure the SSH daemon to accept ed25519 keys and after that restart the daemon (of course you know this, you're a Unix/Linux admin!):

echo "PubkeyAcceptedKeyTypes=+ssh-ed25519" >> /etc/ssh/sshd_config
/etc/init.d/SSH restart

After that, you have to put your public key somewhere. This is NOT /root/.ssh/authorized_keys, but /etc/ssh/keys-root/authorized_keys. Paste your key(s) in there as usual and you should be able to log in as root into your ESXi server, no password asked.

Valid TLS

For me the reason to visit the command line on my ESXi server was to deploy my Let's Encrypt certificate. This didn't seem to work via the web UI. Personally, I generated a wildcard certificate for my domain, which I then transfered to the server via SCP. I don't think the creation process of the wildcard certificate should be in scope here, but in short: I instructed my traefik load-balancer to retrieve a wildcard certificate for my ps1.sh domain and then exported PEM files which I could then transfer to my ESXi server.

Now, PEM files in hand (a .crt and a .key file), you'll have to instruct the server to use them. Like this:

cp /etc/vmware/ssl/rui.crt /etc/vmware/ssl/orig.rui.crt
cp /etc/vmware/ssl/rui.key /etc/vmware/ssl/orig.rui.key
cp /root/my.domain.crt /etc/vmware/ssl/rui.crt
cp /root/my.domain.key /etc/vmware/ssl/rui.key

After that vmware recommends to reboot the server. And indeed, without a reboot, conventiontly issued via command line, your server won't show the new certificate to any clients.