Installation guide
C H A P T E R 5 Using the VMware Service Console
207
Authentication and Security Features
This section contains the following:
• Authenticating Users on page 207
• Default Permissions on page 209
• TCP/IP Ports for Management Access on page 209
There are three key aspects to security with VMware ESX Server.
• VMware ESX Server authenticates all remote users who connect to a server using
the VMware Management Interface or the VMware Remote Console.
• Security for network traffic to and from the server depends on the security
settings in the server configuration.
• Three or more TCP/IP ports are used for access, depending on the security
settings in your ESX Server configuration.
Depending on your remote access requirements, you may need to configure
your firewall to allow access on one or more of these ports. For details on which
ports are used, see TCP/IP Ports for Management Access on page 209.
Authenticating Users
VMware ESX Server uses Pluggable Authentication Modules (PAM) for user
authentication in the remote console and the VMware Management Interface. The
default installation of ESX Server uses /etc/passwd authentication, just as Linux
does, but it can easily be configured to use LDAP, NIS, Kerberos or another distributed
authentication mechanism.
The PAM configuration is in /etc/pam.d/vmware-authd.
Every time a connection is made to the server running ESX Server, the inetd process
runs an instance of the VMware authentication daemon (vmware-authd). The
vmware-authd process requests a user name and password, then hands them off
to PAM, which performs the authentication.
Once a user is authenticated, vmware-authd accepts a path name to a virtual
machine configuration file. Access to the configuration file is restricted in the
following ways:
• The user must have read access to the configuration file to see and control the
virtual machine in the VMware Management Interface and to view the virtual
machine details pages.