Customize SSH and Esxi Shell Settings for Increased Security

By | 06/11/2017

The ESXi Shell provides access to maintenance commands and other configuration options. Esxi shell and SSH comes in handy when there are certain tasks that can’t be done through the Web Client or other remote management tools. 

Enabling local and remote shell access on Esxi hosts

Login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Security Profile Services and click Edit


We can enable/dsable below services and also can change their start up method:

  • Direct Console UI
  • ESXi Shell
  • SSH


Enabling SSH or local shell through the DCUI.

Go to the console of the host. Press F2 and enter esxi host credentials.

Select Troubleshooting Options and hit Enter on each service you want to enable/disable.


Configuring the Timeout For the ESXi Shell

By default the timeout setting for the ESXi shell is set to disabled. The shell timeout setting allows you to specify how long an inactive session is left open. After the timeout period, if you have not logged in, the shell is disabled.

Note: If you are logged in when the timeout period elapses, your session persists. However, the ESXi Shell is disabled and it prevents other users from logging in.

Configure Shell timeout from DCUI

From Troubleshooting mode options, select Modify Esxi Shell and SSH timeouts


And set the values 


Note: If ESXi Shell and SSH are enabled, the option to modify the timeout value is grayed out. To change the timeout value, ensure both ESXi Shell and SSH are disabled. This is by design and is intended to indicate when the timeout values would take effect.

Configure ESXi Shell timeout from vSphere Web Client:

1: Log in to vSphere Web Client.

2: Select the host in the Inventory panel and click Configuration tab.

3: Under Software, click Advanced Settings.

4: In the left panel, search for UserVars.

5: In the UserVars.ESXiShellTimeOut field, enter the timeout setting in seconds.


ESXi Shell and SSH service needs to be restarted for changes to take affect.

ESXi Shell Interactive Time Out 

This is applicable to the SSH Sessions that were opened after the configuration was done. Let’s say we have configured this time-out to 60 seconds. So once this configuration is done, and a new Putty Session is opened, it automatically closes after 60 seconds of no activity. Well, if you don’t run any commands or you don’t scroll in the SSH Session for 60 seconds, you will be logged out automatically. 

To configure Shell Interactive timeout, edit the UserVars.ESXiShellInteractiveTimeOut configuration option.

Configure Shell timeout from CLI

Check current settings

Configuring Shell Timeout via Power CLI

Configure the setting for all esxi servers in a cluster:


If you have set ESXiShellInteractiveTimeOut on an Esxi host, then after period of no activity, you will be kicked out of server with below message

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Category: vSphere 6.X

About Alex Hunt

Hi All I am Manish Jha. I am currently working in OVH US as Operations Support Engineer (vCloud Air Operations). I have around 7 Years of IT experience and have exposure on VMware vSphere, vCloud Director,vSphere Replication, vRealize Automation, NSX and RHEL. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.