c) Using the RCLI commands using the ESXi IDs
The chart below show the four way to access an ESXi host along with the user credentials used...
Looking at this two thing jump out at me
Number 1 - if you are standing in front of you ESXi host and plan on making configuration changes you must have the 'root' password. No other ID will let you log in the console.
Number 2 - Lockdown mode really only disables the use of the actually 'root' ID from being used with either the VIC or the RCLI interface. Other users with 'root like' privileges that you create can still make changes to the ESXi host using these methods. Thus avoiding using VirtualCenter.
And since there is not a PAM module for ESXi if you do plan on creating users on each ESXi host you'll need to manage each host individually (IDs and Passwords), or go with generic account with 'root like' access which in that case you might as well just use the root ID.
Lockdow mode does make for a good idea if you don't have the need for any of the RCLI interfaces. This way you can keep the 'root' password in a safe, managed all the ESXi hosts via VirtualCenter and only break out the root password in the event you need to make changes to the ESXi host to fix a communiction issues with VirtualCenter.
Posts
