Know How - VMware Server

Managing VMware Server via WWW

The first thing you will notice is the web interface. It really is a really amazing piece of software, as VMware created a complete desktop product within your browser. Luckily it is fully compatible to Mozilla Firefox and Linux. I did not test it with Windows nor IE, but I found out that it does not fully work with Opera as you cannot open any console with Opera under Linux.

  • The Web interface sits at https://your-server:8333/ (you can change this port through configuration)
  • The user is the user you gave to the configuration
  • The password is the user's Unix password
  • The console is a FF plugin which must be installed separately.
  • The FF plugin does open a separate window and does not run within the browser itself.
  • The FF plugin must be able to communicate directly to the VMware host on a privileged port (which is given in the configuration).
(Perhaps the FF plugin is able to connect through an SSL proxy if the privileged port used is 443, I did not test it.)

Notes

  • The managing of VMs via the Web service is out of scope of this document.
  • However it is straight forward most time. If you miss something, look on the right in the Summary tab.
  • I think you can do everything from the commandline as well. However I did not yet find out how.

Observations

  • VMware does run under root and not as the user used for login via Web. The user is only used for access.
  • The user is managed on the Unix side. This is bad from a security point of view, as the web-user reveals a real existing user on the Unix side.
  • The Unix user needs a password. However modern login methods use PKI/Passphrase methods and must not even know anything like a password. Using "PasswordAuthentication No" for SSH is no solution to this problem, as there still is a password around. Disabling password auth in PAM is no solution either, there are too many broken applications out there which are not PAM aware. So an illegal password setting in /etc/shadow for all accounts is mandatory. However, this is plainly impossible for the user needed for VMware.
  • Web access is solved over a web service built into VMware. I found no way to integrate it into standard Web services like Apache. So possible new security holes are opened to the machine. Any additional application which keeps a port open may become a security threat. The way to go is, to have as few applications opening ports as possible. (For a VMware server host the best way is to have not even a single port open.)
-Tino, 2008-09-04