Guideline ID : ESXi.remove-authorized-keys

Vulnerability Discussion : ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication.  To enable password free access copy the remote users public key into the “/etc/ssh/keys-root/authorized_keys” file on the ESXi host.  The presence of the remote user’s public key in the “authorized_keys” file identifies the user as trusted, meaning the user is granted access to the host without providing a password.  If using Lockdown Mode and SSH is disabled then login with authorized keys will have the same restrictions as username/password. This is a change enacted in 5.1 and not previously documented correctly.

Risk Profile : 1, 23

Description : Disable Authorized (SSH) Keys

Procedure

  • For day-to-day operations, disable SSH on ESXi hosts.
    1
  • If SSH is enabled, even temporarily, monitor the contents of the /etc/ssh/keys-root/authorized_keys file to ensure that no users are allowed to access the host without proper authentication.
    2
  • Monitor the /etc/ssh/keys-root/authorized_keys file to verify that it is empty and no SSH keys have been added to the file.
  • If you find that the /etc/ssh/keys-root/authorized_keys file is not empty, remove any keys.

Welcome for Suggestions..