5.7 Ensure the SSH authorized_keys file is empty

Information

ESXi hosts come with Secure Shell (SSH), which can be configured to authenticate remote users using public key authentication. For day-to-day operations, the ESXi host should be in lockdown mode with the SSH service disabled. Lockdown mode does not prevent root users from logging in using keys. The presence of a remote user's public key in the /etc/ssh/keys-root/authorized_keys file on an ESXi host identifies the user as trusted, meaning the user is granted access to the host without providing a password.

Disabling authorized_keys access may limit your ability to run unattended remote scripts.

Rationale:

Keeping the authorized_keys file empty prevents users from circumventing the intended restrictions of lockdown mode.

Solution

To remove all keys from the authorized_keys file, perform the following:

Logon to the ESXi shell as root or another admin user.

Edit the /etc/ssh/keys-root/authorized_keys file.

Remove all keys from the file and save the file.

Default Value:

The file is empty by default.

See Also

https://workbench.cisecurity.org/benchmarks/8020