본문 바로가기
조회 수 7546 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1010027&sliceId=1&docTypeID=DT_KB_1_1&dialogID=152969949&stateId=0%200%20152971803


It is important to restrict user authentication and security settings so that you can tell what users performed what actions.

Controlling SSH remote root log in access

In ESX 3.x hosts, SSH remote root log in access is disabled by default.  If you allow SSH remote root logins to an ESX host service console, you can track where the access to the root account was initiated from, but you cannot track who logged into the root account or which commands were executed. VMware therefore recommends that you restrict SSH remote root logins.
 
SSH remote root login is controlled by the PermitRootLogin parameter in the/etc/ssh/sshd_config file. To restrict SSH remote logins completely, set the PermitRootLogin parameter to no.
 
To allow or deny SSH remote root login for specific users, add the users to  the AllowUsers and DenyUsers parameter in the  /etc/ssh/sshd_config file.  
 
For example: 
 
AllowUsers  msmith johnd jdoe user*
DenyUsers   cclark bbarker user11 gue*

Using the su command

By default all users can use the switch user (su) command. However, the user issuing the command must know the password of the account to which they are switching. Commands executed as root are not logged, but all attempts to use the su command to login (whether successful or not) are logged.
 
To restrict who can use the su command, configure the wheel group in the  /etc/group file. A dd the appropriate users to thewheel group using either the VMware Infrastructure (VI) Client or a command line to modify the/etc/group file. Users assigned to the wheel group can use the su command.
 
To enable wheel group authentication using a command line, r emove the comment from this line in the /etc/pam.d/su file:
 
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
 
Do not remove the comment from this line:
 
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid

Users in the wheel group now have to enter the root password when switching to that account. Attempts to switch to the root account are logged in /var/log/messages.
 
Note: If you uncomment the line that starts with #auth sufficient... the user is not required to enter a password when switching to a new user. Uncommenting this line lowers the overall security of the ESX host service console.

Using the sudo command

The Sudo command allows a normal user to run commands with root privileges. The sudo command is installed but not configured in ESX hosts.

Administrators can configure the commands that may be executed by users on a command-by-command and host-by-host basis. Sudo logs user activities in the /var/log/secure file. Using sudo to run root-privileged commands protects the root account because you do not have to give the root password to anyone.
 
In the /etc/sudoers file, use the text editor visudo to d efine which users and groups can or cannot run specific commands on which hosts.
 
Here is the syntax of the /etc/sudoers file:
 
<user or group> <host> = (<runas>) <command(s)>
 
Here is an example entry for the /etc/sudoers file:
 
test123 ALL=(ALL) NOPASSWD: ALL
 
In this example, members of the test123 group can initiate any command on any host as root without entering a password.
 
Note: visudo protects the /etc/sudoers file against multiple simultaneous edits and checks the syntax of your entries.
 
Here is another example:
 
mike svresx3 = /usr/sbin/esxcfg-vmhbadevs
 
In this example, the user mike can run the command esxcfg-vmhbadevs as root on one specific host.

Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
37 vSphere 설치 동영상 Hojung 2011.02.02 7339
36 vmware에 대한 good articles (추천) Hojung 2011.01.29 5544
35 VMWare: Windows 7 Ethernet is Missing Hojung 2011.09.14 6559
34 VMware vSphere 4 소개 file Hojung 2011.02.01 8597
33 VMware vCenter Server 4 0 Install (video) Hojung 2011.02.04 9218
32 VMware - ESXi Introduction Hojung 2011.02.03 9318
31 VM Network Adapters (NIC) Hojung 2011.06.25 10290
30 Two methods for accessing VMware ESX data stores Hojung 2011.02.03 8611
29 SSH access to ESXi/ESX hosts with public/private key Hojung 2014.11.12 2632
28 Setting up VMware ESXi 5.5 on the Gigabyte Brix Hojung 2014.11.06 3438
27 Setting up VMware ESXi 4 Hojung 2011.02.03 10639
26 Running VMs from NFS Datastores (Partition Alignment) Hojung 2013.04.11 3808
25 romiscuous mode is enabled at the portgroup and the virtual switch level Hojung 2012.11.22 4131
» Restricting User Authentication and Security Settings Hojung 2011.02.03 7546
23 Repeated characters when typing in remote console (ESX) Hojung 2014.11.21 2693
22 Quickest Way to Patch an ESX/ESXi Using the Command-line Hojung 2013.01.07 3808
21 Interpreting esxtop Statistics (esxtop 출력설명) file Hojung 2011.02.04 8934
20 Installing VMware Tools in a Linux virtual machine using a Compiler Hojung 2013.01.09 4630
19 Installing VMware ESX 4 Hojung 2011.02.03 7534
18 Install Sophos UTM Virtual Appliance on ESXi file Hojung 2014.11.07 6620
Board Pagination ‹ Prev 1 2 Next ›
/ 2

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5