VMware
VMware ESX Server 1.5
Features | Documentation | Knowledge Base | Discussion Forums

previous Prev   Contents   Last   Next next

 Authentication and Security Features

Authentication and Security Features

This section contains the following:

There are three key aspects to security with VMware ESX Server.

  • VMware ESX Server authenticates all remote users who connect to a server using the VMware Management Interface or the remote console.
  • Security for network traffic to and from the server depends on the security settings in the server configuration.
  • Three or more TCP/IP ports are used for access, depending on the security settings in your ESX Server configuration.

    Depending on your remote access requirements, you may need to configure your firewall to allow access on one or more of these ports. For details on which ports are used, see TCP/IP Ports for Management Access.

Authenticating Users

Authenticating Users

VMware ESX Server uses Pluggable Authentication Modules (PAM) for user authentication in the remote console and the VMware Management Interface. The default installation of ESX Server uses /etc/passwd authentication, just as Linux does, but it can easily be configured to use LDAP, NIS, Kerberos or another distributed authentication mechanism.

The PAM configuration is in /etc/pam.d/vmware-authd.

Every time a connection is made to the server running VMware ESX Server, the inetd process runs an instance of the VMware authentication daemon
(vmware-authd). The vmware-authd process requests a user name and password, then hands them off to PAM, which performs the authentication.

Once a user is authenticated, vmware-authd accepts a path name to a virtual machine configuration file. Access to the configuration file is restricted in the following ways:

  • The user must have read access to the configuration file to see and control the virtual machine in the VMware Management Interface and to view the Details and Event Log pages.
  • The user must have read access to the configuration file to use the local console on the console operating system or to connect to the virtual machine with the VMware Perl API.
  • The user must have read and execute access to the configuration file to connect to and control (start, stop, reset or suspend) a virtual machine in a remote console, with the VMware Perl API or with the management interface.
  • The user must have read and write access to the configuration file to change the configuration using the Configure VM page in the VMware Management Interface.

Note: If you have users with list access, but not read access, they may encounter errors in the VMware Management Interface.

If a vmware process is not running for the configuration file you are trying to use, vmware-authd examines /etc/vmware/vm-list, the file where you register your virtual machines. If the configuration file is listed in vm-list, vmware-authd (not necessarily the user who is currently authenticated) starts VMware ESX Server as owner of this configuration file.

Registered virtual machines (those listed in /etc/vmware/vm-list) also appear in the VMware Management Interface. The virtual machines you see on the Overview page must be listed in vm-list, and you must have read access to their configuration files.

The vmware-authd process exits as soon as a connection to a vmware process is established. Each vmware process shuts down automatically after the last user disconnects.

Default Permissions

Default Permissions

When you create a virtual machine with VMware ESX Server, its configuration file is registered with the following default permissions, based on the user accessing it:

  • Read, execute and write - for the user who created the configuration file (the owner)
  • Read and execute - for the owner's group
  • Read - for users other than the owner or a member of the owner's group
TCP/IP Ports for Management Access

TCP/IP Ports for Management Access

The TCP/IP ports available for management access to your ESX Server machine vary, depending on the security settings you choose for the server. If you need to manage ESX Server machines from outside a firewall, you may need to reconfigure the firewall to allow access on the appropriate ports. The lists below show which ports are available when you use each of the standard security settings.

The key ports for use of the VMware Management Interface and the remote console are the HTTP or HTTPS port and the port used by vmware-authd. Use of other ports is optional.

High Security

High Security

  • 443 - HTTPS, used by the VMware Management Interface
  • 902 - vmware-authd, used when you connect with the remote console
  • 22 - SSH, used for a secure shell connection to the console operating system
Medium Security

Medium Security

  • 443 - HTTPS, used by the VMware Management Interface
  • 902 - vmware-authd, used when you connect with the remote console
  • 22 - SSH, used for a secure shell connection to the console operating system
  • 23 - Telnet, used for an insecure shell connection to the console operating system
  • 21 - FTP, used for transferring files to and from other machines
  • 111 - portmap, used by the NFS client when mounting a drive on a remote machine
Low Security

Low Security

  • 80 - HTTP, used by the VMware Management Interface
  • 902 - vmware-authd, used when you connect with the remote console
  • 22 - SSH, used for a secure shell connection to the console operating system
  • 23 - Telnet, used for an insecure shell connection to the console operating system
  • 21 - FTP, used for transferring files to and from other machines
  • 111 - portmap, used by the NFS client when mounting a drive on a remote machine

previous Prev   Contents   Last   Next next