The ESXi Shell provides essential maintenance commands and is deactivated by default on ESXi hosts. You can activate local and remote access to the shell if necessary. To reduce the risk of unauthorized access, activate the ESXi Shell for troubleshooting only.
The ESXi Shell is independent of lockdown mode. Even if the host is running in lockdown mode, you can still log in to the ESXi Shell if it is activated.
See vSphere Security.
The applicable services are as follows.
- ESXi Shell
- Activate this service to access the ESXi Shell locally.
- SSH
- Activate this service to access the ESXi Shell remotely by using SSH.
- Direct Console UI (DCUI)
- When you activate this service while running in lockdown mode, you can log in locally to the direct console user interface as the root user and deactivate lockdown mode. You can then access the host using a direct connection to the VMware Host Client or by activating the ESXi Shell.
The root user and users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. By default, only the root user can run system commands (such as vmware -v) by using the ESXi Shell.
Enable the Secure Shell (SSH) in the VMware Host Client
Enable the Secure Shell (SSH) to access the ESXi Shell remotely by using SSH.
Procedure
- To enable or deactivate the Secure Shell (SSH), right-click Host in the VMware Host Client inventory.
- Select Services from the drop-down menu.
- To enable the Secure Shell (SSH), select Enable Secure Shell (SSH).
- To enable the ESXi Shell, select Enable ESXi shell.
Enable the ESXi Console Shell in the VMware Host Client
When you enable this service while running in lockdown mode, you can log in locally to the direct console user interface as the root user and deactivate lockdown mode. You can then access the host using a direct connection to the VMware Host Client or by enabling the ESXi Shell.
Procedure
- To activate or deactivate the Console Shell, right-click Host in the VMware Host Client inventory.
- Select Services from the drop-down menu and select Console Shell.
- Select a task to perform.
- If the Console Shell is activated, click Disable to deactivate it.
- If the Console Shell is deactivated, click Enable to activate it.
Create a Timeout for ESXi Shell Availability in the VMware Host Client
The ESXi Shell is deactivated by default. To increase security when you enable the shell, you can set an availability timeout for the ESXi Shell.
The availability timeout defines how long both local and remote shell logins are allowed before the ability to log in through the shell is deactivated. When the availability timeout expires, any existing shell sessions remains, but new shell sessions are not allowed.
Procedure
Create a Timeout for Idle ESXi Shell Sessions in the VMware Host Client
If you enable the ESXi Shell on a host, but forget to log out of the session, the idle session remains connected indefinitely. The open connection increases the potential for someone to gain privileged access to the ESXi host. Prevent this by setting a timeout for idle sessions.
The idle timeout is the amount of time that can elapse before you are logged out of an idle interactive session.