Thursday, January 17, 2013

Changing the SSH Port on the ESXi server for Cyber-Ark Integration!!

In one of my recent implementation, I got a request from a client to change the default SSH Port on the ESXi server from Port 22 to Port 63022.

This was a requirement since they have a password management system from Cyber-Ark which would store and reset the root and other user passwords on the ESXi server for security reasons. Cyber-Ark works with any Unix or Linux operating system by using the SSH port. Since ESXi also uses SSH for remote access, we had to integrate Cyber-Ark on SSH port with the ESXi server. Cyber-Ark uses SSH however the integration happens on port 63022 for SSH.

Let's see how I went about changing the SSH Port to 63022 sand made it consistent across ESXi reboots.

We would need to update this configuration in 2 locations for this to work:-

a) /etc/vmware/firewall/ - In this location we would have to place a new firewall rule for SSH port which me manually define. This would be done by creating an XML file which would be saved in this location. Here are the contents if the xml file:-

<id>SSH 63022</id>
<rule id = '0000'>

For ease we will call this file ssh63022.xml

We would need to refresh the firewall policies after placing this file in the given location on the ESXi server. Here is the command which will be using:-

#esxcli network firewall refresh

b) /etc/services - The second change would be to create a new services file where we can define the SSH port as 63022 instead of 22. For this we would need to create a new services file. You can copy this file from the default location and place it on a SAN Data-store and then edit it with the new port information. Here is how you can do it:-

# cp /etc/services /vmfs/volumes/EMC-SANLUN-01/ssh

I have created a folder names SSH on my SAN Datastore EMC-SANLUN-01. Then, I am copying the services file to my EMC SAN VMFS datastore which is visible to all my hosts in the cluster. 

Now lets check if the file has moved there:-

~ # cd /vmfs/volumes/EMC-SANLUN-01/ssh
/vmfs/volumes/50f5e6fd-6fa36a6c-8339-000c29c4df2b/ssh # ls -ltrh
-rw-r--r-T    1 root     root        20.3k Jan 16 00:16 services

Now that we have a copy of the services file, lets edit it to change the ssh port. Run the following command:-

/vmfs/volumes/50f5e6fd-6fa36a6c-8339-000c29c4df2b/ssh # vi services

Locate the ssh port setting as shown in the screenshot below:-

Now edit this file and change the port 22 to 63022 as shown below:-

Save the change on this file and run the following command to replace the original file with this file.

~ # cp vmfs/volumes/EMC-SANLUN-01/ssh/services /etc/services

This will change the default ssh port from 22 to 63022.

Now to make it consistent across the reboots, it is important that you perform these 2 steps every time the ESXi server reboots. It is not practical to run these steps manually, hence a better way would be to automate this using the rc.local file which can run simple scripts on the ESXi server during start-up.

Similar to services file in the following location - /vmfs/volumes/EMC-SANLUN-01/ssh, copy the ssh63022.xml which we created in STEP A to this location as well. You can use Datastore Browser on vSphere Client or a utility such as winscp. See screenshot below:-

Now that you have both the files in a shared datastore, update the rc.local file to copy these files to the respective locations everytime the server reboots. You would need to make the following entry in the rc.local file:-

Note - rc.local is located in /etc directory.

Edit the file and update it with the following script:-

#Copy the new firewall rule from vmfs place holder to file system
cp /vmfs/volumes/EMC-SANLUN-01/ssh/ssh63022.xml /etc/vmware/firewall/
#refresh firewall rules
esxcli network firewall refresh
#Copy the modified services file from vmfs place holder to file system
cp /vmfs/volumes/EMC-SANLUN-01/ssh/services /etc/services
#Restart inetd to get the changes
kill -HUP `cat /var/run/`

See screenshot below:-

Run the following command:-

~ # vi /etc/rc.local

Lastly, save this file and Reboot the ESXi host. Now you would have the SSH port set to 63022 and you can easily integrate with Cyber-Ark.

Hope this helps you to make changes to ESXi default ports for 3rd party software integration if needed.


  1. Congratulations Admin! Thank you so much for taking the time to share this exciting information.
    Read More