VMware Enable SSH (vSphere ESX)

 

VMware Enable SSH KB ID 0000299 

Problem

Should you wish to get SSH (remote secure console) access to your ESX  hosts, you need to do the following.

ESX Version 8 and Newer

ESX Version 6.5 and Newer

ESX version 5 and Newer

ESX version 4.1.0

ESX version 4.0.0 and earlier

ESX version 4.0.0 and earlier

Solution

VMware Enable SSH ESX 8.0

Directly on an ESX Host: If you have a stand-alone ESX Server running version 8.x, Log in via the web console >  Select ‘Host’ > Actions > Services > Enable Secure Shell (SSH).

Via vSphere/vCenter: If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacentres’ view > Select the Host  > Configure > Services > Locate SSH > Start.

Enable SSH Permanently: Some people don’t want this enabled for security reasons, and in production that makes sense, but on my test network I always have SSH enabled. from the same screen as above with SSH selected > Edit Start-up Policy > Select ‘Start an stop with host” > OK.

VMware Enable SSH 6.5

If you have a stand-alone ESX Server running version 6.5, it’s a lot easier to enable ESX access. Select ‘Host’ > Actions > Service > Enable Secure Shell (SSH). Note: You can also enable the direct console access here.

If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacenters’ view > Select the Host  > Configure > Security Profile > Scroll down to ‘Services’ > Edit.

Locate ‘SSH > Start > OK.

Once enabled you will see the following warning on the hosts summary page, however, in version 6.5 you can suppress this error.

VMware Enable SSH ESX 5

ESX 5 has a built in firewall, which can have SSH opened in the VI clients, or just as with version 4.1.0 you can enable SSH Locally from the console from troubleshooting options.

Enable Remotely

1. Log into the host with the VI client > Select the host > Configuration > Security Profile > Properties.

2. Locate SSH Server > Tick it > Options > You can either manually start it or set it to start automatically.

3. You will see the following warning to “retrieve” the firewall settings (because you have just changed them) > Select Yes.

Note: Having it running will still cause the “Configuration Issues – SSH for the host has been enabled” nag screen on the summary tab of the host.

VMware Enable SSH ESX 4.0.1

Starting with version 4.0.1 you can enable SSH access from the server console.

1. Go to the normal ESX console > Press F2 > Log in >Troubleshooting Options.

2. Select “Enable Remote Tech support” toggle on and off with {enter} if you want to SSH in the server remotely using PuTTy for example > If you want to log on directly at the console choose “Enable Local Tech Support”.

3. Note: Having it running will still cause the “Configuration Issues – Remote Tech support Mode (SSH) for the host {hostname} has been enabled” nag screen on the summary tab of the host.

Grant SSH Access to ESX 4.0.0 and earlier

1. Go to the normal ESXi console.

2. Press ALT+F1 > the screen will change > Type unsupported {enter} > Note: Nothing will appear on the screen till you hit {enter} > Type in the root password and press {enter}.

3. You now need to edit a config file, the only editor we have is vi (sorry) issue the following command,

[box]vi /etc/inetd.conf[/box]

4. The vi editor will open the file, use the arrow keys to move down to the line that says,

[box]#ssh stream tcp nowait root…[/box]

Press I on the keyboard (that puts the vi editor into insert mode) and delete the hash “#” mark from the beginning of the line.

5 Then, to save the changes press {Esc} > type in :wq {Enter} (that’s write the changes and quit if you’re interested).

6. Enter the following command.

[box]

cat /var/run/inetd.pid

[/box]

It will provide you with a number, (in the example below its 4983, yours will be different).

7. Issue the following command.

[box]

kill -HUP {the number you got from above}

[/box]

8. To get back to the usual ESXi screen and exit command line press ALT+F2.

9. You can now connect with an SSH client like Putty.

 

Related Articles, References, Credits, or External Links

Original Article written: 07/12/11

ESX4 – Grant Root User SSH Access

Thanks to Dave Corrasa for the feedback.

ASA Connection Error: ‘The First Key-Exchange Algorithm’

KB ID 0001476

Problem

When attempting to connect to a Cisco ASA firewall via SSH you see the following error;

The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold.
Do you want to continue with this connection?

Clicking ‘Yes’ will let you connect.

Solution

When connected, execute the following commands;

[box]conf t

ssh key-exchange group dh-group14-sha1

write mem[/box]

Problem solved.

Related Articles, References, Credits, or External Links

How Diffie Hellman Works

Connecting to and Managing Cisco Firewalls

Also see “Allow Remote Management

KB ID 0000075

Problem

To connect to and manage a Cisco firewall you need three things,

  1. To be in possession of a password, (and in some cases a username).
  2. Have the ‘Method of Access granted to you’ (or have physical access to the firewall).
  3. Know a ‘Method of Access‘ to the firewall for management.

Cisco Firewall Passwords

Unless your firewall is brand new (in which case the passwords will either be {blank} or cisco), to access a Cisco firewall you will need a password, (this stands to reason it is a security device after all!).

Cisco Firewall Usernames

As for usernames, with a few exceptions, you do not USUALLY need a username. Those exceptions being;

  1. Access via SSH needs a username (before version 8.4 you could use the username pix, and the Telnet password, this no longer works).
  2. If you have set up authentication to be done by AAA.

Cisco Firewall Forgotten Password Recovery

If you do not know the password then you need to perform some password recovery.

Cisco ASA – Methods of Access.

1. Console Cable: This uses the rollover cable that came with the firewall, They are usually pale blue in colour, and the more modern ones have a moulded serial socket on them. The older ones have a grey network to serial converter that plugs on the end. Access is via some Terminal Emulation Software, e.g. PuTTy or HyperTerminal. This method of access is enabled by default, but requires physical access to the devices console port.

2. Telnet: This simply allows connection via a telnet client, all versions of Windows have one, though Microsoft have done a good job of Hiding it in Windows 7. You can also use PuTTy, HyperTerminal, or another third party telnet client. This is considered the LEAST SECURE method of connection, (as passwords are sent in clear text). On a new firewall the telnet password is usually set to cisco (all lower case).

3. Web Browser: (How the vast majority of people access the firewall). Depending on the age and version of the firewall dictates what “Web Server” you are connecting to, devices running Version 7 and above use the “Adaptive Security Device Manager”. Cisco firewalls running an Operating system of version 6 and below use the “PIX Device Manager”. Both the ADSM and the PDM have a similar look and feel, and both require you have to Java installed and working.

4. SSH: Secure Sockets Handshake: This is sometimes called “secure telnet” as it does not send passwords and user names in clear text. It requires you supply a username and a password. Firewalls running an OS older than 8.4 can use the username of pix and the telnet password. After version 8.4 you need to enable AAA authentication and have a username and password setup for SSH access.

5. ASDM Client software: (Version 7 firewalls and above). You will need to have the software installed on your PC for this to work (you can download it from the firewall’s web interface, or install from the CD that came with the firewall).

Cisco ASA Remote Management via VPN

Even if you allow traffic for a remote subnet, there are additional steps you need to take to allow either a remote client VPN session, or a machine at another site that’s connected via VPN. Click here for details.

Solution

Connecting to a Cisco Firewall Using a Console Cable

Obviously before you start you will need a console cable, you CAN NOT use a normal network cable, OR a crossover cable as they are wired differently! They are wired the opposite way round at each end, for this reason some people (and some documentation) refer to them as rollover cables. They are usually Pale blue (or black). Note if you find your console cable is too short you can extend it with a normal network cable coupler and a standard straight through network cable.

On each end of the console cable the wiring is reversed.

Old (Top) and New (Bottom) versions of the Console Cable.

Note: If you don’t have a serial socket on your PC or Laptop you will need a USB to Serial converter (this will need a driver installing to add another COM Port to the PC).

 

 

 

 

Option 1 Using PuTTY for Serial Access.

1. Connect your console cable, then download and run PuTTy. (I’m assuming you are using the COM1 socket on your machine, if you have multiple serial sockets then change accordingly).

2. By default PuTTy will connect with the correct port settings, if you want to change the settings see the option I’ve indicated below. Simply select Serial and then ‘Open’.

3. You will be connected. (Note: The password you see me entering below is the enable password).

Option 2 Using HyperTerminal for Serial Access

1. Connect your console cable, then download install and run HyperTerminal. (Note: With Windows XP and older it’s included with Windows, look in > All Programs > Communications). Give your connection a name > OK.

2. Change the ‘Connect Using’ option to COM1 > OK.

3. Set the connection port settings from top to bottom, they are, 9600, 8, None, 1, None > Apply > OK.

4. You will be connected. (Note: The password you see me entering below is the enable password).

Connecting to a Cisco Firewall via Telnet

To connect via telnet, the IP address you are connecting from (or the network you are in) has to have been granted access. If you cannot access the firewall using Telnet then you will need to connect via a console cable. Note Windows 7/2008/Vista needs to have telnet added.

Option 1 Use Windows Telnet Client for Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Start.

2. In the search/run box type cmd {enter}.

3. Execute the telnet command followed by the IP address of the firewall.

Windows – ‘Telnet’ is not recognized as an internal or external command

4. Enter the telnet password (default password is cisco).

Option 2 Use PuTTy for Telnet Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.

2. Select Telnet > Enter the IP address of the firewall > Open.

3. Enter the telnet password (default password is cisco).

Option 2 Use HyperTerminal for Telnet Firewall Access

1. Ensure you have a network connection to the firewall and you know its IP address > Launch HyperTerminal.

2. Give the connection a name > OK.

3. Change the ‘Connect using’ section to TCP/IP (Winsock) > Enter the IP address of the firewall > OK.

4. Enter the telnet password (default password is cisco).

Connect to to a Cisco Firewall via Web Browser

To connect via Web Browser – the firewall’s internal web server needs to be enabled in the firewall configuration, and the IP address of the machine you are on (or the network it is in, also needs to be allowed). If you cannot connect from your web browser you will need to establish a console cable connection.

Also to access via this method you need to know the firewall’s “Enable Password”. If you use a proxy server then you will need to remove it from the browser settings while you carry out the following. Ensure also that you have Java installed and working.

1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.

2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.

3. Click “Run ASDM” (older versions say ‘Run ADSM Applet’). Note: for information on the other option ‘Install ASDM launcher…’ see connecting via ASDM).

The Startup Wizard is for setting up a new firewall, I don’t recommend you ever use this unless you follow this guide.

4. You might receive a few Java warning messages, answer them in the affirmative.

5. Run.

6. Enter the ‘Enable’ password > OK.

7. You will be connected.

Connecting to a Cisco Firewall via SSH

To connect via SSH the IP address of the PC you are on, (or the network it is in) needs to have been allowed SSH Access in the firewall’s configuration. You will also need an SSH Client, I prefer PuTTy because its free and works.

Note: After version 8.4 you can only access the Cisco ASA using AAA authentication, see here. Prior to version 8.4 you can use the username of ‘pix’ and the firewall’s telnet password.

1. Ensure you have a network connection to the firewall and you know its IP address > Launch PuTTy.

2. Tick SSH > enter the IP address of the firewall > Open.

3. The first time you connect you will be asked to accept the certificate > Yes.

4. You will be connected, supply the username and password configured for AAA access., (or username pix and the telnet password if you are older than version 8.4).

Connecting to a Cisco Firewall via ASDM Client Software

As the name implies you need a v7 (or newer) firewall running ASDM for this to work 🙂 Essentially this is just a “Posh” front end for the firewall’s internal web server, so the same rules apply, the http server must be enabled, the PC you are on (or the network it’s in) need to be allowed https access to the firewall. Also you will need to know the enable password.

1. Ensure you have a network connection to the firewall and you know its IP address > launch your web browser.

2. If you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”. IE6 Users will see this instead.

3. Select ‘Install ASDM Launcher and Run ASDM’.

4. The username is usually blank (unless you are using AAA), and you will need to enter the enable password.

5. Run (or save if you want to install manually later).

6. Accept all the defaults.

7. The ASDM, will once again ask for the password. (By default it will place a shortcut on the desktop for the next time you need to access the firewall).

8. The ASDM will launch and you will be connected.

Connecting to a Cisco Firewall via Pix Device Manager

1. Open your web browser and navigate to the following,

https://{inside IP address of the firewall}

Note if you are using IE7 (or newer) you will need to click “Continue to this web site (not Recommended)”.

IE6 Users will see this instead

2. If Prompted leave the username blank, and the password is the firewall’s enable password.

Note if you are using AAA you might need to enter a username and password.

3. You will see this.

4.You might receive a few Java warning messages, answer them in the affirmative, on some newer versions of Java you may also need to enter the password a second time.

5. The PDM opens. You are successfully connected.

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Manage your firewall form your Windows Mobile device

Cisco ASA 5500 – Remote Management via VPN

Originally Written 09/11/09

ESX 4/5 – Grant Root User SSH Access

for ESXi click here

KB ID 0000278 

Problem

ESX is built on Linux – and in the Linux environment, to root user is denied SSH access, there are valid security reasons for this, and you can SSH to the ESX box as a normal user and then issue the “su -” command to switch to root access.

However, some of us still want to SSH in as root, here’s how to do it.

Solution

1. Create a user on your ESX Server (Ensure the user is granted “Shell access”).

2. Connect to your ESX server via SSH (using PuTTy) with the credentials you created above.(Note: if using another SSH client, use SSH2).

3. Execute the following command,

[box]su -[/box]

4. Give it the root password.

5. Execute the following command,

[box]cd /etc/ssh[/box]

6. Execute the following command,

[box]nano sshd_config[/box]

7. Locate the line saying PermitRootLogin no and change it to Yes (Note: Use the arrow keys).

8. Type CTRL+X answer Y for Yes > Then press Enter to confirm.

9. Execute the following commands,

[box]

service sshd restart
esxcfg-firewall -e sshServer
esxcfg-firewall -e sshClient

[/box]

Related Articles, References, Credits, or External Links

NA

VMware ESXi 5 – Applying Patches and Updates

(ESXi 5 Update 1 and Patches)

KB ID 0000623

Problem

When VMware released ESX 4.1, they took away the “Host update utility”, (which was a mistake!). For people without VMware Update Manager, you now have to either put in the CD/DVD and do an ‘in place upgrade’, or grow a ginger pony tail and put some socks/sandals on and do some Linux.

Below I’ve got a build of ESX with no updates on it, I’m going to apply the ‘Update 1″ then the most recent patch to bring the host up to date (at time of writing).

Solution

1. Whilst connected to your host with the VI client > Select the host > Configuration > Security Profile > Services Section > Properties > SSH > Options >Start > OK > OK > Exit the VI client.

2. Connect to the host via an SSH command window (PuTTy shown). Log on as the root user, to check your current ‘build’ version issue the following command;

[box]vmware -v[/box]

3. You should have a fair idea what piece of storage has the most free space already, this host only has one datastore (datastore1). That’s the one I’m going to download the updates into. To view the Datastores issue the following command;

[box]ls -l /vmfs/volumes/[/box]

4. Change directory, so that you are ‘in’ that datastore and create a directory called ‘UPDATE’.

[box]cd /vmfs/volumes/datastore1<br /> mkdir UPDATE[/box]

5. Then change into that directory;

[box]cd UPDATE[/box]

6. From a browser visit the VMware patch portal, locate the update you want to download and install, (here it’s VMware 5.0.0 Update1). Right click the download link and copy the URL.

Note: Patches after major updates are cumulative, I also downloaded the ‘latest’ patch.

7. You need to remove the ‘s’ from the URL, I just paste the link into notepad, edit it then copy it again.

8. Back at your command window download the update with the following command;

[box]wget http://hostupdate.vmware.com/software/VUM/OFFLINE/release-328-20120312-212851/update-from-esxi5.0-5.0_update01.zip[/box]

9. When completed, download any other required patches;

[box]wget http://hostupdate.vmware.com/software/VUM/OFFLINE/release-341-20120605-165537/ESXi500-201206001.zip[/box]

10. Before applying the update/patches, the host needs to be in maintenance mode;

[box]vim-cmd hostsvc/maintenance_mode_enter[/box]

11. Then apply the update with the ‘esxcli’ command as follows;

[box]esxcli software vib install -d /vmfs/volumes/datastore1/UPDATE/update-from-esxi5.0-5.0_update01.zip[/box]

12. When complete, you will need to ‘scroll up’ and make sure it says, “Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.”

13. After the update, I am applying the latest patch with the same esxcli syntax, like so;

[box]esxcli software vib install -d /vmfs/volumes/datastore1/UPDATE/ESXi500-201206001.zip[/box]

14. Once again you will need to ‘scroll up’ and locate, “Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.”

15. Now reboot the host;

[box]reboot[/box]

16. Once the host is back online, connect and take it out of maintenance mode.

17. Then locate the folder containing the update software and patches.

18. And delete it.

19. Finally power your guest machines back on again.

Related Articles, References, Credits, or External Links

Enable SSH Access to vSphere ESXi

Upgrade vSphere 4 Environment to vSphere 5

Update VMware ESXi from 4.0 to 4.1

Upgrade ESX 3 to version 4.1.0

vSphere – Adding a Serial Port to a VM

KB ID 0001039 

Problem

I wanted to perform command line access to a virtual firewall on my home ESXi server, (a Juniper Firefly vSRX) via a console session. To do that I needed to add a serial port to that VM.

Solution

1. From Within the VI client > Select the ESXi Host > Configuration > Security Profile > Firewall Section > Properties.

2. Locate and enable ‘VM serial port connected over network’ > OK.

3. From the actual VM‘s properties, (right click > Edit settings) > Add > Serial Port > Next.

4. Connect via Network > Next.

5. Select ‘Server (VM listens for connection)’ > In Port URI enter telnet://{IP-of the ESX-Server}:2001 > Next.

Note: That’s the IP of the ESX server NOT the VM, here I’m using port 2001, but you can use 23 (standard telnet), or a random port above 1024.

6. Review the settings > Finish.

7. Now on a machine that has network connectivity to the ESX server > launch a telnet session to the VM (remember to use port 2001 as telnet defaults to 23!).

Here I’m using PuTTY but you can run ‘telnet {ip-address} {port}’ from a Windows client, (providing you have telnet enabled).

8. I’m in and working.

 

Related Articles, References, Credits, or External Links

NA

HP StorageWorks P2000 – Connecting to and Configuring

KB ID 0000569 

Problem

Normally I simply connect a new MSA to a clients network, and it gets it’s address from DHCP. Then I can get the address for the DHCP Scope, and point my web browser at it.

Yesterday I was starting with new virtual infrastructure and had no DHCP. With the G1 and G2 models, you got a console/serial cable and could just terminal in. With the G3 they have replaced the serial socket with a mini USB socket. Each time I put in a new P2000, I think “I wonder how that USB CLI socket works?” Yesterday I had to find out.

Solution

The Quickest Solution – is to connect the MSA to the network, and if it cannot get a DHCP address it automatically gives itself 10.0.0.2/24 on controller A and 10.0.0.3/24 on controller B.

MSA Default username = manage
MSA Default password = !manage

The Next Quickest Solution

1. If you do have DHCP running, connect your MSA and run the MSA Device Discovery Tool, (On the CD that came with the device).

2. Once you know the IP address, you can connect with your web browser.

Connect to and Manage your MSA via the USB/CLI Cable

1. For your machine to see the MSA as a device, you need to install a driver, there is a copy of the drivers on the CD that came with the device.

Note: Windows 7 users, use the Windows 2008 Drivers or use this one.

2. Install the driver.

3. Connect the USB lead from the MSA controller to your machine, TAKE NOTE of the COM port number it’s using.

4. Now you can use whatever terminal emulation program you prefer to connect to that COM port. (I prefer HyperTerminal, or you can use Putty if you want something a bit lighter).

5. Set the following, Bits per second = 115200, Data bits = 8, Parity = None, Stop bits = 1, and Flow control = None.

6. You will need to press {enter} to connect, then login.

MSA Default username = manage
MSA Default password = !manage

7. I only need to set the IP address of the controller(s) like so;

[box] set network-parameters ip {x.x.x.x} netmask {y.y.y.y} gateway {z.z.z.z} controller a [/box]

8. Then (If you have dual controllers) you can set the IP address of controller B.

[box] set network-parameters ip {a.a.a.a} netmask {b.b.b.b} gateway {c.c.c.c} controller b [/box]

9. Give the new IP addresses a quick test.

10. Note: You Cannot Manage an G3 P2000 with Internet Explorer 9, If you try it will simply say “Unable to Authenticate, Try again”

11. Normally I use Chrome, but that won’t work either 🙁 Firefox works fine though!

 

Related Articles, References, Credits, or External Links

NA

 

Cisco Catalyst Switches – Set a Management IP and Allow Telnet and Web Management

KB ID 0000614 

Problem

If you want to manage your Cisco Catalyst switch it’s not always practical to plug a console cable in to change its settings or monitor what it is doing. Putting an IP address on it and enabling remote management via Telnet or from your web browser is a better alternative, particularly if you have a lot of switches.

Solution

Enable Telnet Management on Cisco Catalyst Switch

1. Connect to the Switch using a terminal emulation program like HyperTerminal or Putty,

2. Issue the following commands;

[box]

enable
{enter enable password if prompted}
conf t
line vty 0 15
password {password required}
login
exit 

[/box]

Add a Management IP to a Cisco Catalyst Switch

3. Whilst still in configure terminal mode issue the following commands;

[box]

int vlan1
ip address {IP address required} {Subnet required}
no shutdown
exit

[/box]

Cisco Catalyst Set an Enable Password

4. If you telnet in you cant change any system settings without an enable password being set.

[box]enable password {Password required}[/box]

Optional : Set the Cisco Catalyst Switches Default Gateway

5. Just in case you need to manage the switch from another subnet, you will need to set a default gateway.

[box]ip default-gateway {IP address required}[/box]

Enable Web Management on Cisco Catalyst Switch

6. To connect to and manage the switch from a web browser execute the following command, and then exit configure terminal mode.

[box]

ip http server
exit 

[/box]

7. Finally save the changes with a “write mem” command.

[box]write mem[/box]

Testing the Configuration

8. From a machine on the same network segment make sure you can ping the switch on its new IP address.

9. Then make sure you can “telnet” into it.

10. Open a web browser and navigate the the switches IP > Select ‘Web Console’.

Note: You will require Java for this to work.

11. After entering the enable password you should see the following.

Related Articles, References, Credits, or External Links

Cisco Catalyst Password Recovery / Reset