Details
For day-to-day operations the ESXi host should be in Lockdown mode with the Secure Shell
(SSH) service disabled. Lockdown mode does not prevent root users from logging in using
authorized keys. When you use an authorized key file for root user authentication, root
users are not prevented from accessing a host with SSH even when the host is in lockdown
mode.
*Rationale*
ESXi hosts come with SSH, which can be configured to authenticate remote users using
public key authentication. To enable public key authentication, copy the remote users
public key into the /etc/ssh/keys-root/authorized_keys file on the ESXi host. The
presence of the remote user’s public key in the authorized_keys file identifies the user as
trusted, meaning the user is granted access to the host without providing a password.Note- Lockdown mode does not apply to root users who log in using authorized keys.
When you use an authorized key file for root user authentication, root users are not
prevented from accessing a host with SSH even when the host is in lockdown mode.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To check for SSH keys added to the authorized_keys file-
1. Logon to the ESXi shell as root or an authorized admin user.
2. Verify the contents of the /etc/ssh/keys-root/authorized_keys file.
3. If the file is not empty remove any keys found in the file.Impact-Disabling the SSH authorized_keys access may limit your ability to run unattended remote
scripts.
Default Value-The prescribed state is the default state.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system VMware.