The ESXi Shell provides essential maintenance commands and is deactivated by default on ESXi hosts. You can activate local and remote access to the shell if necessary. To reduce the risk of unauthorized access, activate the ESXi Shell for troubleshooting only.

The ESXi Shell is independent of lockdown mode. Even if the host is running in lockdown mode, you can still log in to the ESXi Shell if it is activated.

See vSphere Security.

The applicable services are as follows.

ESXi Shell
Activate this service to access the ESXi Shell locally.
SSH
Activate this service to access the ESXi Shell remotely by using SSH.
Direct Console UI (DCUI)
When you activate this service while running in lockdown mode, you can log in locally to the direct console user interface as the root user and deactivate lockdown mode. You can then access the host using a direct connection to the VMware Host Client or by activating the ESXi Shell.

The root user and users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. By default, only the root user can run system commands (such as vmware -v) by using the ESXi Shell.

Note: Do not activate the ESXi Shell unless you actually need access.

Enable the Secure Shell (SSH) in the VMware Host Client

Enable the Secure Shell (SSH) to access the ESXi Shell remotely by using SSH.

Procedure

  1. To enable or deactivate the Secure Shell (SSH), right-click Host in the VMware Host Client inventory.
  2. Select Services from the drop-down menu.
  3. To enable the Secure Shell (SSH), select Enable Secure Shell (SSH).
  4. To enable the ESXi Shell, select Enable ESXi shell.

Enable the ESXi Console Shell in the VMware Host Client

When you enable this service while running in lockdown mode, you can log in locally to the direct console user interface as the root user and deactivate lockdown mode. You can then access the host using a direct connection to the VMware Host Client or by enabling the ESXi Shell.

Procedure

  1. To activate or deactivate the Console Shell, right-click Host in the VMware Host Client inventory.
  2. Select Services from the drop-down menu and select Console Shell.
  3. Select a task to perform.
    • If the Console Shell is activated, click Disable to deactivate it.
    • If the Console Shell is deactivated, click Enable to activate it.

Create a Timeout for ESXi Shell Availability in the VMware Host Client

The ESXi Shell is deactivated by default. To increase security when you enable the shell, you can set an availability timeout for the ESXi Shell.

The availability timeout defines how long both local and remote shell logins are allowed before the ability to log in through the shell is deactivated. When the availability timeout expires, any existing shell sessions remains, but new shell sessions are not allowed.

Procedure

  1. Click Manage in the VMware Host Client inventory.
  2. On the System tab, select Advanced settings.
  3. Enter UserVars.ESXiShellTimeOut in the Search text bysteox and click the Search icon.
  4. Select UserVars.ESXiShellTimeOut and click Edit option.
    The Edit option dialog box opens.
  5. In the New value text box, enter the timeout setting.
    A value of zero (0) deactivates the timeout.
  6. Click Save.
    You must restart the SSH service and the ESXi Shell service for the timeout to take effect.
  7. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Create a Timeout for Idle ESXi Shell Sessions in the VMware Host Client

If you enable the ESXi Shell on a host, but forget to log out of the session, the idle session remains connected indefinitely. The open connection increases the potential for someone to gain privileged access to the ESXi host. Prevent this by setting a timeout for idle sessions.

The idle timeout is the amount of time that can elapse before you are logged out of an idle interactive session.

Procedure

  1. Click Manage in the VMware Host Client inventory.
  2. On the System tab, click Advanced settings.
  3. Enter UserVars.ESXiShellInteractiveTimeOut in the Search text box and click the Search icon.
  4. Select UserVars.ESXiShellInteractiveTimeOut and click Edit option.
    The Edit option dialog box opens.
  5. In the New value text box, enter the timeout setting.
    A value of zero (0) deactivates the timeout.
  6. Click Save.
    The timeout takes effect only for newly logged in sessions.
  7. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.

Results

If the session is idle, users are logged out after the timeout period elapses.