Protecting
PasswordsLast Updated December 16, 2024
You can follow
different password protection approaches depending on your environment setup.
If you
specify passwords in plain text, you risk exposing the password to other users.
The password might also become exposed in backup files. Do not provide
plain-text passwords on production systems.
Follow one of the following
approaches for protecting passwords.
- If you use a ESXCLI host management command interactively and do not specify a user name and password, you are prompted for them. The screen does not echo the password that you enter.
- For non-interactive use, you can create a session file by using thesave_sessionoption. See thevSphere SDK for Perl Programming Guide.
- Target avCenter Serversystem and authenticate to vCenter Single Sign-On. You can save the corresponding session and use it for subsequent connections. See Authenticating Through vCenter Server and vCenter Single Sign-On.
- Use variables or configuration files.
- If you are running ESXCLI on a Windows system, you can use the--passthroughauthoption. If the user who runs the command with that option is a known Active Directory user, no password is required.
With ESXCLI, you can run scripts against multiple
target servers from the same administration server. You must have the correct privileges
to perform the actions on each target, and you must authenticate to the target.
Administrators can place
ESXi
hosts in lockdown mode for enhanced
security. By default, even the root user cannot run ESXCLI commands directly against
ESXi
hosts in lockdown mode. See ESXCLI and Lockdown Mode and the vSphere Security
documentation.