Which action should an administrator perform to allow ESXi Shell or SSH access for users with
A. Grant the users the administrator role and enable the service.
B. Add the users to Exception Users and enable the service.
C. No action can be taken, Strict Lockdown Mode prevents direct access.
D. Add t he users to vsphere.local and enable the service.
ockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.
With vSphere 6 we are introducing a couple of new concepts
- Normal Lockdown Mode
- Strict Lockdown Mode
- Exception Users
For this blog article we’ll focus on the two Lockdown Modes. Exception users will be covered in the next blog article.
One of the stumbling blocks for customers implementing Lockdown Mode was that it was either on or off. In 5.1 only the “root” user could log into the DCUI. In 5.5 you could add users to the “DCUI.Access” list in the Host Advanced Settings. They did not need full administrative privileges. But they could bypass lockdown mode and access the DCUI.
Starting with vSphere 6.0, you can select either Normal lockdown mode or Strict lockdown mode, depending on your security requirements. With that, let’s dive in!
NORMAL LOCKDOWN MODE
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server system is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host’s Direct Console Interface and exit lockdown mode. Only the following accounts can access the Direct Console User Interface:
- Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
- Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
STRICT LOCKDOWN MODE
In strict lockdown mode, which is new in vSphere 6.0, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
LOCKDOWN MODE AND THE ESXI SHELL AND SSH SERVICES
Strict lockdown mode stops the DCUI service. However, the ESXi Shell and SSH services are independent of lockdown mode. For lockdown mode to be an effective security measure, ensure that the ESXi Shell and SSH services are also disabled. Those services are disabled by default.
When a host is in lockdown mode, users on the Exception Users list can access the host from the ESXi Shell and through SSH if they have the Administrator role on the host and if these services are enabled. This access is possible even in strict lockdown mode. Leaving the ESXi Shell service and the SSH service disabled is the most secure option.
Read the full story on VMware blog