Information
ESXi hosts come with Secure Shell (SSH), which can be configured to authenticate remote
users using public key authentication. For day-to-day operations, the ESXi host should be in
lockdown mode with the SSH service disabled. Lockdown mode does not prevent root
users from logging in using keys. The presence of a remote user's public key in the
/etc/ssh/keys-root/authorized_keys file on an ESXi host identifies the user as trusted,
meaning the user is granted access to the host without providing a password.
Disabling authorized_keys access may limit your ability to run unattended remote scripts.
*Rationale*
Keeping the authorized_keys file empty prevents users from circumventing the intended
restrictions of lockdown mode.
Solution
To remove all keys from the authorized_keys file, perform the following:
1. Logon to the ESXi shell as root or another admin user.
2. Edit the /etc/ssh/keys-root/authorized_keys file.
3. Remove all keys from the file and save the file.