Customize SSH and Esxi Shell Settings for Increased Security

The ESXi Shell provides access to maintenance commands and other configuration options. Esxi shell and SSH comes in handy when there are certain tasks that can’t be done through the Web Client or other remote management tools. 

Enabling local and remote shell access on Esxi hosts

Login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Security Profile Services and click Edit

serv-1.PNG

We can enable/dsable below services and also can change their start up method:

  • Direct Console UI
  • ESXi Shell
  • SSH

serv-2.PNG

Enabling SSH or local shell through the DCUI.

Go to the console of the host. Press F2 and enter esxi host credentials.

Select Troubleshooting Options and hit Enter on each service you want to enable/disable.

serv-3.PNG

Configuring the Timeout For the ESXi Shell

By default the timeout setting for the ESXi shell is set to disabled. The shell timeout setting allows you to specify how long an inactive session is left open. After the timeout period, if you have not logged in, the shell is disabled.

Note: If you are logged in when the timeout period elapses, your session persists. However, the ESXi Shell is disabled and it prevents other users from logging in.

Configure Shell timeout from DCUI

From Troubleshooting mode options, select Modify Esxi Shell and SSH timeouts

serv-5.PNG

And set the values 

serv-6.PNG

Note: If ESXi Shell and SSH are enabled, the option to modify the timeout value is grayed out. To change the timeout value, ensure both ESXi Shell and SSH are disabled. This is by design and is intended to indicate when the timeout values would take effect.

Configure ESXi Shell timeout from vSphere Web Client:

1: Log in to vSphere Web Client.

2: Select the host in the Inventory panel and click Configuration tab.

3: Under Software, click Advanced Settings.

4: In the left panel, search for UserVars.

5: In the UserVars.ESXiShellTimeOut field, enter the timeout setting in seconds.

serv-7.PNG

ESXi Shell and SSH service needs to be restarted for changes to take affect.

ESXi Shell Interactive Time Out 

This is applicable to the SSH Sessions that were opened after the configuration was done. Let’s say we have configured this time-out to 60 seconds. So once this configuration is done, and a new Putty Session is opened, it automatically closes after 60 seconds of no activity. Well, if you don’t run any commands or you don’t scroll in the SSH Session for 60 seconds, you will be logged out automatically. 

To configure Shell Interactive timeout, edit the UserVars.ESXiShellInteractiveTimeOut configuration option.

Configure Shell timeout from CLI

Check current settings

[root@esxi04:~] esxcfg-advcfg -g /UserVars/ESXiShellInteractiveTimeOut
Value of ESXiShellInteractiveTimeOut is 0
[root@esxi04:~] esxcfg-advcfg -g /UserVars/ESXiShellTimeOut
Value of ESXiShellTimeOut is 0

Configuring Shell Timeout via Power CLI

Configure the setting for all esxi servers in a cluster:

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 1800

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 1800

Validate

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellTimeOut | ft -autosize

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellInteractiveTimeOut | ft -autosize

If you have set ESXiShellInteractiveTimeOut on an Esxi host, then after period of no activity, you will be kicked out of server with below message

[root@esxi04:~] timed out waiting for input: auto-logout

Connection to esxi04 closed.

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂