How to allow non-root users to run ESX management commands

Author: NetworkAdminKB.com
Created: 2009-10-28
Modified: 2009-10-31

Information:

By default the root user cannot telnet, SSH, or SCP, etc to the ESX Host.  In general it is considered a best practice to grant another user SSH access then issue the su --login command to gain root privileges.  However, there may be times when you would like the user with SSH privileges not know the root password.  In this case you will need to configure the /etc/sudoers file to allow the user to execute one or more commands using the sudo command syntax.

 

1)      Login to the ESX host as root

2)      Create a group to manage the user access using the following commands

groupadd esxadmins

 

3)      Add users to group be editing the /etc/group file using the following command

nano /etc/group

 

4)      Insert the following line to the end of the /etc/group file

esxadmins:x:505:user1,user2

 

a.       esxadmins is the group name you created earlier

b.      505 is the group ID

c.       user1,user2 are the various user names to add to the group

d.      You can edit the file using the following command or any other text editor (vi, vim, etc).

nano /etc/group

 

e.       Save the file via Ctrl-O

f.        Exit nano Ctrl-X

5)      Edit the /etc/sudoers file by issuing the following command

visudo

 

a.       At the end of the file you should add the following line so that esxadmins can run all ESX commands.

%esxadmins            ALL=(ALL)    ALL

Note: This will allow all ESX server commands to be run by users that are members of the esxadmins group via the sudo command syntax

 

                                                   i.      Other possible entries to limit by user or specific command without requiring a password.

username ALL=/sbin/service,      NOPASSWD: /sbin/service

%users  ALL=/usr/sbin/esxcfg-nics,     NOPASSWD: /usr/sbin/esxcfg-nics

 

Notes:

%users is a predefined group that all users are automatically a member of.

NOPASSWD: ALL will result in all commands being accessible regards of command list.

Omitting NOPASSWD prompts for the current user password to run the command.

Separate more than one command with spaces.

 

b.      Type the following to exit visudo and save file

                                                   i.      Press ESC

                                                 ii.      Type  :wq!

c.       Example of sudo commands the user could run.

sudo /sbin/service mgmt-vmware status

sudo /sbin/service --status-all

sudo /user/sbin/esxcfg-vswitch -l

 

More Information:

This type of configure is also useful for allowing scripts to configure or manage ESX servers via an SSH shell.

 

Here are common Linux / ESX commands that may provide be of benefit.

To determine the path to a file you can use the whereis command.

For more information on the sudo command type man sudo

For more information on the sudoers file type man sudoers

 

Restricting User Authentication and Security Settings

 


How to allow SSH, SCP or SFTP access to ESX Server 3.5.aspx 

Article ID: 204, Created On: 9/18/2011, Modified: 9/18/2011