Protecting Passwords

Caution If you specify passwords in plain text, you risk exposing the password to other users. The password might also become exposed in backup files. Do not provide plain-text passwords on production systems.

Follow one of the following approaches for protecting passwords.

■	If you use a vCLI host management command interactively and do not specify a user name and password, you are prompted for them. The screen does not echo the password you type.

■	For noninteractive use, you can create a session file using the save_session option. See Using a Session File.

■	Target a vCenter Server system and authenticate to vCenter Single Sign-On. You can save the corresponding session and use it for subsequent connections. See Authenticating Through vCenter Server and vCenter Single Sign-On.

■	Use variables or configuration files.

■	If you are running on a Windows system, you can use the - -passthroughauth option. If the user who runs the command with that option is a known Active Directory user, no password is required.

If you are running vMA, you can set up target servers and run most vCLI commands against target servers without additional authentication. See the vSphere Management Assistant Guide.

vCLI allows you to run scripts against multiple target servers from the same administration server. You must have the correct privileges to perform the actions on each target, and you must authenticate to the target.

Important Administrators can place ESXi hosts in lockdown mode for enhanced security. By default, not even the root user can run vCLI commands directly against ESXi hosts in lockdown mode. See vCLI and Lockdown Mode and the vSphere Security documentation.

Order of Precedence for vCLI Host Management Commands

When you run a vCLI host management command, authentication happens in the order of precedence shown in vCLI Authentication Precedence. This order of precedence always applies. That means, for example, that you cannot override an environment variable setting in a configuration file.

Note Available options and order of precedence are different for DCLI. See Order of Precedence for DCLI Authentication.

If you are authenticating through vCenter Single Sign-On, the order of precedence is preserved, for example, information you specify on the command line overrides information in an environment variable.

vCLI Authentication Precedence 

Authentication	Description	See
Command line	Password (- -password), session file (- -sessionfile), or configuration file (- -config) specified on the command line.	Using a Session File
Environment variable	Password specified in an environment variable.	Using Environment Variables
Configuration file	Password specified in a configuration file.	Using a Configuration File
Current account (Active Directory)	Current account information used to establish an SSPI connection. Available only on Windows.	Using Microsoft Windows Security Support Provider Interface
Credential store	Password retrieved from the credential store.	vSphere Web Services SDK Programming Guide and vSphere SDK for Perl Programming Guide.
Prompt the user for a password.	Password is not echoed to screen.