ESXI-67-000029 - The ESXi host must remove keys from the SSH authorized_keys file.

Information

ESXi hosts come with SSH, which can be enabled to allow remote access without requiring user authentication. To enable password-free access, copy the remote user's public key into the '/etc/ssh/keys-root/authorized_keys' file on the ESXi host.

The presence of the remote user's public key in the 'authorized_keys' file identifies the user as trusted, meaning the user is granted access to the host without providing a password.

If using Lockdown Mode and SSH is disabled, then logon with authorized keys will have the same restrictions as username/password.

Solution

From an SSH session connected to the ESXi host, or from the ESXi shell, zero out or remove the /etc/ssh/keys-root/authorized_keys file:

# >/etc/ssh/keys-root/authorized_keys

or

# rm /etc/ssh/keys-root/authorized_keys

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y22M04_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239284r674781_rule, STIG-ID|ESXI-67-000029, Vuln-ID|V-239284

Plugin: Unix

Control ID: 5d52455a5126a87a3280af7471670be8994d945114ca89673f5228fe98c2fd70