ESX Configuration Guide
To ensure the protection of the data transmitted to and from external network connections, ESX uses one of the strongest block ciphers available—256-bit AES block encryption. ESX also uses 1024-bit RSA for key exchange. These encryption algorithms are the default for the following connections.
nvSphere Client connections to vCenter Server and to the ESX host through the service console.
nvSphere Web Access connections to the ESX host through the service console.
NOTE Because use of vSphere Web Access ciphers is determined by the Web browser you are using, this management tool might use other ciphers.
nSDK connections to vCenter Server and to ESX.
nService console connections to virtual machines through the VMkernel.
nSSH connections to the ESX host through the service console.
setuid and setgid Flags
During ESX installation, several applications that include the setuid and setgid flags are installed by default. Some of the applications provide facilities required for correct operation of the host. Others are optional, but they can make maintaining and troubleshooting the host and the network easier.
setuid |
A flag that allows an application to temporarily change the permissions of the |
|
user running the application by setting the effective user ID to the program |
|
owner’s user ID. |
setgid |
A flag that allows an application to temporarily change the permissions of the |
|
group running the application by setting the effective group ID to the program |
|
owner’s group ID. |
Disable Optional Applications
Disabling any of the required applications results in problems with ESX authentication and virtual machine operation, but you can disable any optional application.
Optional applications are listed in Table 14-2 and Table 14-3.
Procedure
1Log in to the service console and acquire root privileges.
2Run one of the following commands to disable the application.
nFor setuid flagged applications: chmod a-s path_to_executable_file
nFor setgid flagged applications: chmod a-g path_to_executable_file
Default setuid Applications
Several applications that include the setuid flag are installed by default.
Table 14-2 lists the default setuid applications and indicates whether the application is required or optional.
202 |
VMware, Inc. |
|
Chapter 14 Service Console Security |
|
Table 14-2. Default setuid Applications |
|
|
|
|
|
Application |
Purpose and Path |
Required or Optional |
|
|
|
crontab |
Lets individual users add cron jobs. |
Optional |
|
Path: /usr/bin/crontab |
|
|
|
|
pam_timestamp_check |
Supports password authentication. |
Required |
|
Path: /sbin/pam_timestamp_check |
|
|
|
|
passwd |
Supports password authentication. |
Required |
|
Path: /usr/bin/passwd |
|
|
|
|
ping |
Sends and listens for control packets on the network interface. |
Optional |
|
Useful for debugging networks. |
|
|
Path: /bin/ping |
|
|
|
|
pwdb_chkpwd |
Supports password authentication. |
Required |
|
Path: /sbin/pwdb_chkpwd |
|
|
|
|
ssh-keysign |
Performs host-based authentication for SSH. |
Required if you use |
|
Path: /usr/libexec/openssh/ssh-keysign |
host-based |
|
|
authentication. |
|
|
Otherwise optional. |
|
|
|
su |
Lets a general user become the root user by changing users. |
Required |
|
Path: /bin/su |
|
|
|
|
sudo |
Lets a general user act as the root user only for specific |
Optional |
|
operations. |
|
|
Path: /usr/bin/sudo |
|
|
|
|
unix_chkpwd |
Supports password authentication. |
Required |
|
Path: /sbin/unix_chkpwd |
|
|
|
|
vmkload_app |
Performs tasks required to run virtual machines. This |
Required in both paths |
|
application is installed in two locations: one for standard use |
|
|
and one for debugging. |
|
|
Path for standard use: /usr/lib/vmware/bin/vmkload_app |
|
|
Path for debugging: /usr/lib/vmware/bin- |
|
|
debug/vmkload_app |
|
|
|
|
vmware-authd |
Authenticates users for use of services specific to VMware. |
Required |
|
Path: /usr/sbin/vmware-authd |
|
|
|
|
vmware-vmx |
Performs tasks required to run virtual machines. This |
Required in both paths |
application is installed in two locations: one for standard use and one for debugging.
Path for standard use: /usr/lib/vmware/bin/vmware-vmx
Path for debugging: /usr/lib/vmware/bin-debug/vmware- vmk
Default setgid Applications
Two applications that include the setgid flag are installed by default.
Table 14-3 lists the default setgid applications and indicates whether the application is required or optional.
VMware, Inc. |
203 |