By default, you can log in to an ESXi host using only the root account. Direct access to an ESXi host is available and most commonly used for troubleshooting purposes. You can access an ESXi host using one of the following methods.

Active Directory Integration for ESXi Hosts

Generally, it is not required to join ESXi hosts in a VMware Cloud Foundation system to Active Directory. SDDC Manager manages the commissioning, configuration, and life cycle of the ESXi hosts. In the event that direct access to an ESXi host is required, the Cloud Administrator can obtain the root or SERVICE account credentials to troubleshoot any issues with the ESXi host. However, there are circumstances when you must add Active Directory as the identity provider by joining each ESXi host to an Active Directory domain.

VMware Cloud Foundation supports the use of NFS version 4.1 as supplemental storage. With NFS version 4.1, ESXi supports the RPCSEC_GSS Kerberos authentication service. It allows the built-in NFS 4.1 client for ESXi to prove its identity to an NFS server before mounting an NFS share. The Kerberos security uses cryptography to work across an insecure network connection. To use Kerberos authentication, each ESXi host, that mounts an NFS 4.1 datastore, must join the required Active Directory domain and the NFS Kerberos credentials must be set on each host.

The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i, that offer different levels of security.

• Kerberos for authentication only (krb5) supports identity verification.

• Kerberos for authentication and data integrity (krb5i), in addition to identity verification, provides data integrity services.

When you use Kerberos authentication, the following considerations apply:

• You must add Active Directory as the authentication system by joining each ESXi host to an Active Directory domain.

• You must specify the Active Directory credentials to provide access to NFS version 4.1 Kerberos datastores. A single set of credentials is used to access all Kerberos datastores mounted on an ESXi host.

• You must use the same Active Directory credentials for all ESXi hosts that access the shared datastore.

• You cannot use two security mechanisms, AUTH_SYS and Kerberos, for the same NFS version 4.1 datastore shared by multiple hosts.

When an ESXi host is added to an Active Directory domain to support NFS version 4.1 with Kerberos authentication, you must configure the administrative access by defining a non-default Active Directory security group for privileged access to the ESXi host. Thus, you ensure that only the designated Active Directory security group membership has administrative access to the ESXi host.

Password Policies for ESXi Hosts

For an ESXi host, you can enforce password policies for access to the DCUI, the ESXi Shell, SSH, or the Host Client. You can configure these password policies by using the advanced system settings for each ESXi host. The password policies apply only to local user accounts.

Password Expiration Policy for ESXi Hosts

You manage the password expiration policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can modify the configuration settings on each ESXi host to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Password Complexity Policy for ESXi Hosts

You manage the password complexity policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

For more detailed information, see the ESXi Passwords and Account Lockout documentation for VMware vSphere.

Account Lockout Policy for ESXi Hosts

ESXi account lockout is supported for SSH and API. If a user attempts to log in with incorrect local account credentials using SSH or API, the account is locked. The DCUI and the ESXi Shell do not support account lockout.

You manage the account lockout policy on a per-host basis by using the advanced system settings in the vSphere Client or the Host Client. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

For more detailed information, see the ESXi Passwords and Account Lockout documentation for VMware vSphere.

Design Decisions on Password Policies for ESXi Hosts

ESXi Host Password Management

SDDC Manager provides the ability to perform life cycle management for the local accounts used by each ESXi host. Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. SDDC Manager provides the ability to rotate, update, and remediate most of these component passwords. Unlike password rotation, which generates a randomized password, updates allow you provide the desired password for the selected account.

For more information, see the Password Management documentation for VMware Cloud Foundation.

You can activate or deactivate normal lock down mode on an ESXi host to increase the security of the hosts. To activate or deactivate normal lock down mode, you must perform the operation through the vSphere Client. SDDC Manager creates service accounts that can be used to access the ESXi hosts over SSH. The service accounts are added to the Exception Users list during the bring-up process or host commissioning workflow. You can rotate the passwords for the service accounts using the password management functionality in SDDC Manager.