5.7 Ensure the SSH authorized_keys file is empty

Information

ESXi hosts come with Secure Shell (SSH), which can be configured to authenticate remote
users using public key authentication. For day-to-day operations, the ESXi host should be in
lockdown mode with the SSH service disabled. Lockdown mode does not prevent root
users from logging in using keys. The presence of a remote user's public key in the
/etc/ssh/keys-root/authorized_keys file on an ESXi host identifies the user as trusted,
meaning the user is granted access to the host without providing a password.

Disabling authorized_keys access may limit your ability to run unattended remote scripts.

*Rationale*

Keeping the authorized_keys file empty prevents users from circumventing the intended
restrictions of lockdown mode.

Solution

To remove all keys from the authorized_keys file, perform the following:

1. Logon to the ESXi shell as root or another admin user.
2. Edit the /etc/ssh/keys-root/authorized_keys file.
3. Remove all keys from the file and save the file.

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: 732dca0dc98aaadc5fff9dd4a6160d5efd2ddea776f9e50f217dceae2abdc307