To SSH to Tanzu Kubernetes cluster nodes using a password, first create a jump box VM that connects to the workload network and the management or frontend network for SSH tunneling.

Create a Linux Jump Host VM

Follow these steps to create a Linux jump box VM. There are many ways to do this. This is one approach. The instructions use PhotonOS which you can download here:
  1. Log into vCenter Server using the vSphere Client.
  2. Create a new virtual machine.
  3. Select the Linux guest OS, in this example, VMware Photon OS (64-bit).
  4. Install the OS. To do this, download the ISO, attach it to the VM and boot it.
  5. Configure the VM with an IP address on the Workload network.
  6. Add a second virtual NIC to the VM and assign it to the Frontend network.
  7. Complete the configuration of the OS and power on the VM after reboot.
  8. Log into the vSphere console for the VM as the root user.
  9. Create a network interface for the new NIC and give it an IP on the Frontend network.
     ifconfig eth1 IP-ADDRESS netmask NETMASK up
    Note: This method is non-persistent on reboots.
  10. Verify that you can ping the gateway and DNS server through that interface
  11. In the vSphere console for the VM, set up an SSH user with certificates. Verify that it works by creating a nested shell.
  12. SSH into the jumpbox from the Frontend network as the SSH user to verify that works.
  13. Install sshpass onto the VM (so you can log in over SSH using a password). For PhotonOS, the command is as follows:
    tdnf install -y sshpass
  14. Add the client's public key to the ~/.ssh/authorized_keys file and restart the sshd process so that ssh can work without a password.
    • Get your public key, for example: cat ~/.ssh/
    • Access the jumphost VM.
    • Create the SSH directory (if it does not exist): mkdir -p ~/.ssh.
    • Append the public key to the authorized_keys file: echo ssh-rsa AAAA.... >> ~/.ssh/authorized_keys. Replace ssh-rsa AAAA.... with the entire public key string that was output from the cat ~/.ssh/ command.
    • Ensure that the ~/.ssh directory and authorized_keys file have the appropriate permissions set, for example: chmod -R go= ~/.ssh.