A seemingly minor point that for non-ESXi users can effectively lock you out of remotely logging into your ESX hosts Service Console is buried away in the “NOTES” section of VMware’s vSphere 4.1 upgrade guide. It took me a while to work out why I was no longer able to login with my account via SSH after upgrading from 4.0 to 4.1, so I thought it was worth mentioning incase anyone else see’s this same problem (although it’s by design rather than a bug, another sign of the forthcoming enforced move to ESXi I would say).
Tucked away on the bottom of page 65 of the guide is the following:
“NOTE After upgrading to ESX 4.1, only the Administrator user has access to the service console. To grant service console access to other users after the upgrade, consider granting the Administrator permissions to other users.”
http://www.vmware.com/pdf/vsphere4/r41/vsp_41_upgrade_guide.pdf
So the end result, if you follow best practices and have root login via SSH disabled, you’ll not be able to remotely login to your Service Console until your previously unprivileged user is added to the root (or “Administrators” if you’re using AD Authentication) group. In fact you won’t even be able to login into the Service Console locally with a non-root user, but you will be able to log in as root.
Looking at the configuration files the change that has caused this is in /etc/security/access.conf, in ESX 4.1 only root, vpxuser, and vslauser have login access by default. This is also true for new installs but is less obvious than during an upgrade where you might have previously set up and used non-root users for Service Console SSH logins. The last entry in the file -:ALL:ALL is what denies other uses login access, you can change this to +:ALL:ALL to allow all users to login again but unfortunately this change does not persist across reboots so it’s not really a viable solution without a script to make the change after every boot, which is rather ugly.
The only permanent solution if you don’t want to use AD authentication is to add your user to the “root” group on the service console. You can do this in two ways, either using the vSphere Client to connect directly to the host as root – selecting the Local Users & Groups tab and adding your user to the “root” group, or from the Service Console you can use the command “usermod -a -G 0 username” (in Linux the “root” group is represented by “0” by default, and this is the case for the ESX Service Console too). This is not 100% ideal as this user now has more file access privileges than you would want for an unprivileged user but it is better than permitting root login via SSH – just keep those username and passwords safe!
I hope this saves some people the time I spent head-scratching trying to work out why my user passwords all no longer seemed to work no matter what I set them too. Enjoy the Service Console while it lasts because I have a strong hunch it won’t be with us for too much longer!