Authorized keys allow you to enable access to an ESXi host through SSH without requiring user authentication. To increase host security, do not allow users to access a host using authorized keys.

A user is considered trusted if their public key is in the /etc/ssh/keys-root/authorized_keys file on a host. Trusted remote users are allowed to access the host without providing a password.


  • For day-to-day operations, disable SSH on ESXi hosts.
  • If SSH is enabled, even temporarily, monitor the contents of the /etc/ssh/keys-root/authorized_keys file to ensure that no users are allowed to access the host without proper authentication.
  • Monitor the /etc/ssh/keys-root/authorized_keys file to verify that it is empty and no SSH keys have been added to the file.
  • If you find that the /etc/ssh/keys-root/authorized_keys file is not empty, remove any keys.


Disabling remote access with authorized keys might limit your ability to run commands remotely on a host without providing a valid login. For example, this can prevent you from running an unattended remote script.