But with the latest version of vSphere 5.1 the administrative privileges can be removed from the default root account and individually assigned to Local Users which will provide them full access to the ESXi shell.
This is a cool enhancement, as this not only makes the platform more secure, but it also improves the auditing of the ESXi shell activity as the logging will now display the name of the user who is accessing the shell and performing administrative tasks. In previous versions it was literally impossible to track that who logged in with root access as the logs will just show that the tasks are performed by “root” user.
Lets see what kind of use cases this will help:-
a) Organizations would not have to worry about resetting root password as there policy of password management as root can now be disabled, hence they will have one less account to manage.
b) Having to share a password (root user password) among admin team members is no longer required, ensuring no unauthorized access, end to blame games and a sense of accountability among VMware Administrators of an organization.
c) Monitoring and Auditing becomes easier as the log will reflect the name of the “username” who performed any activity instead of “root”, hence making it easier to audit activities.
Another smart add on to this feature is the ability to auto terminate sessions which are left idle due to human error. For Example – An admin with full shell access logged into a ssh session while troubleshooting an issue from the system of his storage admin and he forgot to logout before taking that important call from his boss. Now the storage admin has full access to the Shell which could possibly be an issue”
In order to avoid such situations a new advance variable UserVars.ESXiShellInteractiveTimeOut is available to set a timeout value for any ESXi shell access. As soon as the timeout limit is reached, the session would be terminated, making the shell inaccessible for the unauthorized user.
Do remember to use this excellent feature in your environments to make it more secure, reliable & manageable.
6 thoughts on “vSphere 5.1 – The ROOT access is no longer COMMON”
Awesome it is, good information Sunny
Well, it's a good idea from VMware.Sunny, good post!
Thanks Navs & Rocco.. There is a lot more to come with the enhancements corner… Stay tuned..
NIce post !
Good colelction. Keep it up !