Just as I said I'm going to hop around from topic to topic, so without further ado we move from HA to security. This post will be pretty much all of objective 7 on the blueprint – some things I may graze over while focusing heavily on others.
So first up is Objective 7.1 – now there is a lot of information in here and I'll just pull out the most important in my opinion, as well as the task I don't commonly perform. So that said, I'm going to leave out the users, groups, lockdown mode, and AD authentication. These things are pretty simple to configure anyways. Also, this whole authentication proxy thing – I'm just going to hope for the best that it isn't on the exam 🙂 So, let's get started on this beast of an objective.
Yeah, we all enable it right – and we all suppress that warning with that advanced setting. The point is, ssh is something that is near and dear to all our hearts, and we like to have the ability to access something via the CLI in the case the GUI or vCenter or something is down. So with that said, let's have a look at what the blueprint states in regards to SSH – customization. Aside from enabling and disabling this, which is quite easy so I won't go over it, I'm not sure what the blue print is getting at. I've seen lots of sites referencing the timeout setting so we can show that. Simply change the value in the Advanced Settings of a host to the desired time in seconds (Uservars->ESXiShellTimeOut) as shown below
As far as 'Customize SSH settings for increased security' goes, I'm not sure what else you can enable/disable or tweak to do so. If you are familiar with sshd I suppose you could permit root from logging in and simply utilize SSH with a local user account.
Certificates and SSL
The blueprint mentions the enabling and disabling of certificate checking. This is simply done by checking/unchecking a checkbox in the SSL section of the vCenter Server settings.
The blueprint also calls out the generation of ESXi host certs. Before doing any sort of certificate generation or crazy ssl administration always back your original certs up. These are located in /etc/vmware/ssl – just copy them somewhere. To regenerate new certs simply shell into ESXi and run generate-certificates – this will create new certs and keys, ignore the error regarding the config file 🙂 After doing this you will need to restart your management agents (/etc/init.d/hostd restart) and quite possibly reconnect your host to vCenter.
To deploy a CA signed cert you can simply just copy your certs to the same directory (/etc/vmware/ssl ) and be sure they are named rui.cert and rui.key and restart hostd the same as above.
As far as SSL timeouts I couldn't find this located in any of the recommended tools for this objective, it's actually in the security guide (which makes sense right, we are doing the security objective #fail – either way, you need to edit the /etc/vmware/hostd/config.xml file and add the following two entries to modify the SSL read and handshake timeout values respectively (they are in milliseconds remember)
Once again you will need to restart hostd after doing this!
Yikes! You want to get confused try and understand the pam password policies. I'll do my best to explain it – keep in mind it will be high level though – this is in the blueprint however I'm not sure if they are going to have you doing this on the exam. Either way, it's good to know… Honestly, I don't think I'm going to memorize this, if you work with it daily then you might, but me, no! I'll just know that it is also in the security guide (search for PAM). Anyways, here's the command
password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4
Wow! So what the hell does that mean? Well, first off N represents numbers (N = retry attempts, N0 = length of password if only using one character class, N1 = length if using two character classes, N2 = length of words inside passphrases, N3 = length if using three character classes, N4 = length if using all four character classes). Character classes are basically lower case, upper case, numbers and special characters. They also confuse things by slamming the passphrase settings right in the middle as well – Nice! Either way, this is the example from the security guide.
password requisite /bin/security/$ISA/pam_passwdqc.so retry=3 min=12,9,8,7,6
This translates into three retry attempts, 12 character password min if using only one class, 9 character minimum if using two classes, 7 character minimum if using three classes, and 6 character minimum if using all four classes. As well, passphrases are required to have words that are at least 8 characters long.
No way can I remember this, I'm just going to remember Security Guide + CTRL+F + PAM 🙂
I'm going to cut this post off here and give the ESXi firewall its' own post – my head hurts!!!! 🙂