it is the time of the week for the security advisories again, one interesting thing of note is that for the first time ESX 2.x.x is not even considered, and also VMware Server has been dropped from the list of Hosted platforms.
Also note the warning about ESX 3.0.3 as its EOL is nigh.
Continue reading “VMware Security Advisory – VMSA-2010-0015”
A seemingly minor point that for non-ESXi users can effectively lock you out of remotely logging into your ESX hosts Service Console is buried away in the “NOTES” section of VMware’s vSphere 4.1 upgrade guide. It took me a while to work out why I was no longer able to login with my account via SSH after upgrading from 4.0 to 4.1, so I thought it was worth mentioning incase anyone else see’s this same problem (although it’s by design rather than a bug, another sign of the forthcoming enforced move to ESXi I would say).
Tucked away on the bottom of page 65 of the guide is the following:
“NOTE After upgrading to ESX 4.1, only the Administrator user has access to the service console. To grant service console access to other users after the upgrade, consider granting the Administrator permissions to other users.”
So the end result, if you follow best practices and have root login via SSH disabled, you’ll not be able to remotely login to your Service Console until your previously unprivileged user is added to the root (or “Administrators” if you’re using AD Authentication) group. In fact you won’t even be able to login into the Service Console locally with a non-root user, but you will be able to log in as root.
Looking at the configuration files the change that has caused this is in /etc/security/access.conf, in ESX 4.1 only root, vpxuser, and vslauser have login access by default. This is also true for new installs but is less obvious than during an upgrade where you might have previously set up and used non-root users for Service Console SSH logins. The last entry in the file -:ALL:ALL is what denies other uses login access, you can change this to +:ALL:ALL to allow all users to login again but unfortunately this change does not persist across reboots so it’s not really a viable solution without a script to make the change after every boot, which is rather ugly.
The only permanent solution if you don’t want to use AD authentication is to add your user to the “root” group on the service console. You can do this in two ways, either using the vSphere Client to connect directly to the host as root – selecting the Local Users & Groups tab and adding your user to the “root” group, or from the Service Console you can use the command “usermod -a -G 0 username” (in Linux the “root” group is represented by “0” by default, and this is the case for the ESX Service Console too). This is not 100% ideal as this user now has more file access privileges than you would want for an unprivileged user but it is better than permitting root login via SSH – just keep those username and passwords safe!
I hope this saves some people the time I spent head-scratching trying to work out why my user passwords all no longer seemed to work no matter what I set them too. Enjoy the Service Console while it lasts because I have a strong hunch it won’t be with us for too much longer!
While the whole world is focused on VMworld VMware has snuck two more security advisories out the door, as is PlanetVM.NET’s usual wont they are printed below in full.
Continue reading “VMware Security Advisory – VMSA-2010-0013”
Another Security advisory from VMware today, this time about VMware studio.
Continue reading “VMware Security Advisory:- VMSA-2010-0011”
VMware have been touting all over twitter today about an issue but not actually informing us what it was, there have been rather cryptic warning about about a Issue with ESX U2 and VDI, now these warning have been going out since early morning UK time and it is now 8pm UK time and finally:
Continue reading “Warning ESX U2 and PCoIP”
There have been reports that a couple of Microsoft security updates for the month of June are causing some issues with VMware vCenter, the main one is KB 980773 – this is an update to DotNet. While I am in the process of rebuilding my test lab this will be something I will defiantly test out prior to updating our production vCenter server this month. For a little more information of the subject, there is a small discussion going on the VMware forums regarding this issue, this should be a decent source of information until more is discovered later on. http://communities.vmware.com/message/1549225
Recently whilst doing some research on another VMware related topic I came across the name of a new package on my ubuntu 10.04 desktop. It is called vmfs-tools and it caught my attention. Continue reading “Using linux vmfs-tools package to access virtual machines”
These were in my mail box on my return from vacation, so as the saying goes better late than never. One of three
Continue reading “VMware Security Advisory:-VMSA-2010-0009”