ESXi SSH Key Authentication Setup

This guide covers creating SSH keys and configuring passwordless authentication for ESXi hosts.

Overview

SSH key authentication provides:

  • Passwordless access to ESXi hosts
  • Enhanced security over password authentication
  • Automation-friendly access for scripts
  • Audit trail of key-based access

Creating SSH Keys on macOS

1. Generate SSH Key Pair 

# Create a dedicated key for ESXi hosts
ssh-keygen -t rsa -b 4096 -f ~/.ssh/esxi_homelab -C "esxi-homelab-key"

# Or use ed25519 (smaller, faster, more secure)
ssh-keygen -t ed25519 -f ~/.ssh/esxi_homelab -C "esxi-homelab-key"

Key Generation Options:

  • -t rsa -b 4096: RSA key with 4096 bits (traditional, widely compatible)
  • -t ed25519: Modern elliptic curve key (recommended)
  • -f ~/.ssh/esxi_homelab: Specific filename for homelab
  • -C "comment": Add a comment to identify the key

2. Secure Your Private Key 

# Set proper permissions
chmod 600 ~/.ssh/esxi_homelab
chmod 644 ~/.ssh/esxi_homelab.pub

# Add to SSH agent (optional)
ssh-add ~/.ssh/esxi_homelab

Configuring ESXi Hosts

Method 1: Manual Configuration

  1. Enable SSH on ESXi
    • Access ESXi console (DCUI)
    • Press F2 → Troubleshooting Options
    • Enable SSH

  2. Copy public key to ESXi

    # View your public key
cat ~/.ssh/esxi_homelab.pub
   
# Copy to clipboard
pbcopy < ~/.ssh/esxi_homelab.pub

  3. Add key to ESXi

    # SSH to ESXi with password
ssh root@192.168.10.100
   
# Create SSH directory if needed
mkdir -p /etc/ssh/keys-root
   
# Add your public key
echo "ssh-ed25519 AAAA... esxi-homelab-key" >> /etc/ssh/keys-root/authorized_keys
   
# Set permissions
chmod 600 /etc/ssh/keys-root/authorized_keys

Method 2: Automated Setup Script

Use the provided script to automate key deployment:

./scripts/deploy-esxi-ssh-keys.sh

Method 3: Using ssh-copy-id Alternative

Since ESXi doesn’t support standard ssh-copy-id:

# One-liner to copy key
cat ~/.ssh/esxi_homelab.pub | ssh root@192.168.10.100 \
  'cat >> /etc/ssh/keys-root/authorized_keys'

SSH Client Configuration

1. Create SSH Config Entry

Edit ~/.ssh/config:

# MS-A2 ESXi Hosts
Host esxi-ms-a2-01
    HostName 192.168.10.100
    User root
    IdentityFile ~/.ssh/esxi_homelab
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Host esxi-ms-a2-02
    HostName 192.168.10.101
    User root
    IdentityFile ~/.ssh/esxi_homelab
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

# Intel NUC ESXi Hosts
Host esxi-nuc-01
    HostName 192.168.200.101
    User root
    IdentityFile ~/.ssh/esxi_homelab
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Host esxi-nuc-02
    HostName 192.168.200.102
    User root
    IdentityFile ~/.ssh/esxi_homelab
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Host esxi-nuc-03
    HostName 192.168.200.103
    User root
    IdentityFile ~/.ssh/esxi_homelab
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

# Wildcard for all ESXi hosts
Host esxi-*
    User root
    IdentityFile ~/.ssh/esxi_homelab
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    LogLevel ERROR

2. Test SSH Connection 

# Test with specific host
ssh esxi-ms-a2-01

# Test with IP
ssh -i ~/.ssh/esxi_homelab root@192.168.10.100

# Run remote command
ssh esxi-ms-a2-01 "esxcli system version get"

Multiple Host Deployment

Deploy to All Hosts 

# List of ESXi hosts
ESXI_HOSTS=(
    "192.168.10.100"
    "192.168.10.101"
    "192.168.200.101"
    "192.168.200.102"
    "192.168.200.103"
)

# Deploy key to all hosts
for host in "${ESXI_HOSTS[@]}"; do
    echo "Deploying key to $host"
    cat ~/.ssh/esxi_homelab.pub | ssh root@$host \
        'mkdir -p /etc/ssh/keys-root && \
         cat >> /etc/ssh/keys-root/authorized_keys && \
         chmod 600 /etc/ssh/keys-root/authorized_keys'
done

Security Best Practices

1. Key Management

  • Use passphrases for private keys storing sensitive access
  • Separate keys for different environments (prod/dev/homelab)
  • Regular rotation - regenerate keys periodically
  • Backup keys securely (encrypted)

2. ESXi SSH Hardening 

# Limit SSH access to specific IPs (via ESXi firewall)
esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id sshServer \
    --ip-address 192.168.10.0/24

# Disable SSH when not needed
vim-cmd hostsvc/disable_ssh

# Enable only when required
vim-cmd hostsvc/enable_ssh

3. Monitoring Access 

# Check SSH logs on ESXi
tail -f /var/log/auth.log

# Monitor active connections
esxcli network connection list | grep :22

Automation Use Cases

1. Backup Script Integration 

#!/bin/bash
# Example: Automated ESXi backup using SSH keys

HOSTS=("esxi-ms-a2-01" "esxi-nuc-01" "esxi-nuc-02" "esxi-nuc-03")

for host in "${HOSTS[@]}"; do
    echo "Backing up $host"
    ssh $host "vim-cmd hostsvc/firmware/backup_config"
    scp $host:/scratch/downloads/configBundle*.tgz ./backups/$host-$(date +%Y%m%d).tgz
done

2. Mass Command Execution 

#!/bin/bash
# Run command on all ESXi hosts

run_on_all_esxi() {
    local command="$1"
    for i in {1..3}; do
        echo "=== esxi-nuc-0$i ==="
        ssh esxi-nuc-0$i "$command"
    done
}

# Usage
run_on_all_esxi "esxcli system version get"
run_on_all_esxi "df -h"

Troubleshooting

SSH Key Not Working

  1. Check file permissions

    # On ESXi
ls -la /etc/ssh/keys-root/authorized_keys
# Should be: -rw------- (600)

  2. Verify SSH service

    # On ESXi
/etc/init.d/SSH status

  3. Check SSH logs

    # On ESXi
tail -f /var/log/auth.log

Common Issues

“Permission denied (publickey)”

  • Key not properly copied to ESXi
  • Wrong file permissions
  • SSH service needs restart

“Host key verification failed”

  • ESXi host key changed (reinstall)
  • Add StrictHostKeyChecking no to SSH config

Cannot connect

  • SSH disabled on ESXi
  • Firewall blocking connection
  • Wrong IP address

Advanced Configuration

Using Different Keys per Host 

# Generate host-specific keys
ssh-keygen -t ed25519 -f ~/.ssh/esxi_ms_a2_01 -C "ms-a2-01"
ssh-keygen -t ed25519 -f ~/.ssh/esxi_nuc_01 -C "nuc-01"

# Configure in ~/.ssh/config
Host esxi-ms-a2-01
    HostName 192.168.10.100
    IdentityFile ~/.ssh/esxi_ms_a2_01
    IdentitiesOnly yes

Jump Host Configuration

If accessing ESXi through a bastion host:

Host esxi-production
    HostName 10.0.1.100
    User root
    ProxyJump bastion
    IdentityFile ~/.ssh/esxi_homelab

Maintenance

Key Rotation

  1. Generate new key pair
  2. Deploy new public key (don’t remove old one yet)
  3. Test new key access
  4. Remove old public key from authorized_keys
  5. Delete old private key

Backup Considerations

  • Backup ~/.ssh/esxi_* keys to encrypted storage
  • Document which keys access which hosts
  • Store recovery procedures separately

This setup provides secure, convenient access to all your ESXi hosts while maintaining security best practices.

This project is for educational and home lab purposes.