To SSH to workload cluster nodes using a password, create a jump box VM that connects to the workload network and the management or frontend network for SSH tunneling.

Create a Linux Jump Host VM

Follow these steps to create a Linux jump box VM. There are many ways to do this. This is one approach. The instructions use PhotonOS which you can download here: https://github.com/vmware/photon/wiki/Downloading-Photon-OS.
Note: This method of creating a jump host is for vDS networking environments. If you are using NSX, create a jump host using a vSphere Pod. See SSH to TKG Cluster Nodes as the System User Using a Private Key.
  1. Log into vCenter Server using the vSphere Client.
  2. Create a new virtual machine.
  3. Select the Linux guest OS, in this example, VMware Photon OS (64-bit).
  4. Install the OS. To do this, download the ISO, attach it to the VM and boot it.
  5. Configure the VM with an IP address from the Workload Network > Namespace Network.
    Note: It is possible to create an IP conflict if the scope of the Workload Network range consumes the entire network space of the port group it is using.
  6. Add a second virtual NIC to the VM and assign it to the Management or Frontend network.
  7. Complete the configuration of the OS and power on the VM after reboot.
  8. Log into the vSphere console for the VM as the root user.
  9. Create a network interface for the new NIC and give it an IP on the Frontend network.
     ifconfig eth1 IP-ADDRESS netmask NETMASK up
    Note: This method is non-persistent on reboots.
  10. Verify that you can ping the gateway and DNS server through that interface
  11. In the vSphere console for the VM, set up an SSH user with certificates. Verify that it works by creating a nested shell.
  12. SSH into the jumpbox from the Frontend network as the SSH user to verify that works.
  13. Install sshpass onto the VM (so you can log in over SSH using a password). For PhotonOS, the command is as follows:
    tdnf install -y sshpass
  14. Add the client's public key to the ~/.ssh/authorized_keys file and restart the sshd process so that SSH can work without a password.
    • Get your public key, for example: cat ~/.ssh/id_rsa.pub.
    • Access the jump host VM.
    • Create the SSH directory (if it does not exist): mkdir -p ~/.ssh.
    • Append the public key to the authorized_keys file: echo ssh-rsa AAAA.... >> ~/.ssh/authorized_keys. Replace ssh-rsa AAAA.... with the entire public key string that was output from the cat ~/.ssh/id_rsa.pub command.
    • Ensure that the ~/.ssh directory and authorized_keys file have the appropriate permissions set, for example: chmod -R go= ~/.ssh.