Symptoms
An SSH public key is configured in the host profile branch Security and Services > Security Settings > Security > User Configuration > rootThe key string has the correct format:
from="1.2.3.4" ssh-rsa <hash>
however, after successful profile remediation:
the ESXi host keeps being reported as non-compliant for the key in the profile not matching the one on the hostSSH login attempts using the key are failing
Cause
This is caused by the ESXi host profile engine not properly escaping the double quotes around the source IP address that is part of the string, so when adding the key string to /etc/ssh/keys-root/authorized_keys these end up being removed. The SSH server component of the ESXi however requires the source IP to be enclosed by double quotes, hence any SSH login attempts using the key are resulting in a failure.
Resolution
Currently there is no resolution. VMware engineering is aware of the issue and is working on a fix.Please subscribe to this article for being informed as soon as a fix has been made publicly available
Workaround
To work around this issue, you can use the following steps:
Edit the host profile and add a backslash (\) iin front of each of the 2 double quotes, so they are properly being escaped, so in Security and Services > Security Settings > Security > User Configuration > root instead of:
from="1.2.3.4" ssh-rsa <hash>
use:
from=\"1.2.3.4\" ssh-rsa <hash>
Remediate the host(s) against the host profile.
At this stage, the entry for the key string in /etc/ssh/keys-root/authorized_keys now has the correct format, and keybased SSH authentication can be used. However, the host will be non-compliant to the host profile.To make it compliant, please continue:
Edit the host profile again, and remove the 2 backslash characters (/) that were added in step 1, back from:
from=\"1.2.3.4\" ssh-rsa <hash>
to:
from="1.2.3.4" ssh-rsa <hash>
Do another compliance scan of the host against the profile. Now it is compliant.
