Detections
Analytics
ESXI-67-000029 - The ESXi host must remove keys from the SSH authorized_keys file.
Information
ESXi hosts come with SSH, which can be enabled to allow remote access without requiring user authentication. To enable password-free access, copy the remote user's public key into the '/etc/ssh/keys-root/authorized_keys' file on the ESXi host.The presence of the remote user's public key in the 'authorized_keys' file identifies the user as trusted, meaning the user is granted access to the host without providing a password.
If using Lockdown Mode and SSH is disabled, then logon with authorized keys will have the same restrictions as username/password.
Solution
From an SSH session connected to the ESXi host, or from the ESXi shell, zero out or remove the /etc/ssh/keys-root/authorized_keys file:# >/etc/ssh/keys-root/authorized_keys
or
# rm /etc/ssh/keys-root/authorized_keys
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 ESXi OS v1r3
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239284r674781_rule, STIG-ID|ESXI-67-000029, Vuln-ID|V-239284
Plugin: Unix
Control ID: 713eb14f7738f438cc8efb0c5d5b2d087ea2f86f1c2c9982acc51d4b5c561626