The ESXi Shell provides essential maintenance commands and is deactivated by default on ESXi hosts. You can activate local and remote access to the shell if necessary. To reduce the risk of unauthorized access, activate the ESXi Shell for troubleshooting only.

The ESXi Shell is independent of lockdown mode. Even if the host is running in lockdown mode, you can still log in to the ESXi Shell if it is activated.

The applicable services are as follows.

ESXi Shell
Activate this service to access the ESXi Shell locally.
SSH
Activate this service to access the ESXi Shell remotely by using SSH.

The root user and users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. By default, only the root user can run system commands (such as vmware -v) by using the ESXi Shell.

Note: Do not activate the ESXi Shell unless you actually need access.

Set Idle Timeout for the ESXi Shell Using the vSphere Client

If you enable the ESXi Shell on a host, but forget to log out of the session, the idle session remains connected indefinitely. The open connection increases the potential for someone to gain privileged access to the host. Prevent this by setting a timeout for idle sessions.

The idle timeout is the amount of time that can elapse before a user is logged out of an idle interactive session. You can control the amount of time for both local and remote (SSH) sessions from the Direct Console Interface (DCUI) or from the vSphere Client.

Procedure

  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, select Advanced System Settings.
  4. Click Edit, select UserVars.ESXiShellInteractiveTimeOut, and enter the timeout setting.
    A value of zero (0) deactivates the idle time.
  5. Restart the ESXi Shell service and the SSH service for the timeout to take effect.
    1. Go to System > Services.
    2. One by one, select ESXi Shell and SSH, and click Restart.

Results

If the session is idle, users are logged out after the timeout period elapses.

Set Availability Timeout for the ESXi Shell Using the vSphere Client

The ESXi Shell is deactivated by default. You can set an availability timeout for the ESXi Shell to increase security when you activate the shell.

The availability timeout setting is the amount of time that can elapse before you must log in after the ESXi Shell is activated. After the timeout period, the service is deactivated and users are not allowed to log in.

Procedure

  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, select Advanced System Settings.
  4. Click Edit, and select UserVars.ESXiShellTimeOut.
  5. Enter the idle timeout setting.
  6. Click OK.
  7. Restart the ESXi Shell service and the SSH service for the timeout to take effect.
    1. Go to System > Services.
    2. One by one, select ESXi Shell and SSH, and click Restart.

Results

If you are logged in when the timeout period elapses, your session will persist. However, after you log out or your session is terminated, users are not allowed to log in.

Set Availability Timeout or Idle Timeout for the ESXi Shell Using the DCUI

The ESXi Shell is deactivated by default. To increase security when you activate the shell, you can set an availability timeout, an idle timeout, or both.

The two types of timeout apply in different situations.
ESXi Shell Idle Timeout
If a user activates the ESXi Shell on a host, but forgets to log out of the session, the idle session remains connected indefinitely. The open connection can increase the potential for someone to gain privileged access to the host. You can prevent this situation by setting a timeout for idle sessions.
ESXi Shell Availability Timeout
The availability timeout determines how much time can elapse before you log in after you initially activate the shell. If you wait longer, the service is deactivated and you cannot log in to the ESXi Shell.

Prerequisites

Activate the ESXi Shell. See Activate Access to the ESXi Shell Using the DCUI.

Procedure

  1. Log in to the ESXi Shell.
  2. From the Troubleshooting Mode Options menu, select Modify ESXi Shell and SSH timeouts and press Enter.
  3. Enter the idle timeout (in seconds) or the availability timeout.
  4. Press Enter and press Esc until you return to the main menu of the Direct Console User Interface.
  5. Click OK.
  6. Restart the ESXi Shell service and the SSH service for the timeout to take effect.
    1. In the vSphere Client, select the host, and go to Configure > System > Services.
    2. One by one, select ESXi Shell and SSH, and click Restart.

Results

  • If you set the idle timeout, users are logged out after the session is idle for the specified time.
  • If you set the availability timeout, and you do not log in before that timeout elapses, logins become deactivated again.

Activate Access to the ESXi Shell Using the vSphere Client

ESXi Shell and SSH interfaces are deactivated by default. Keep these interfaces deactivated unless you are performing troubleshooting or support activities. For everyday activities, use the vSphere Client, where activity is subject to role-based access control and modern access control methods.

Note: Access the host by using the vSphere Client, remote command-line tools (ESXCLI and PowerCLI), and published APIs. Do not activate remote access to the host using SSH unless special circumstances require it.

Prerequisites

If you want to use an authorized SSH key, you can upload it. See ESXi SSH Keys.

Procedure

  1. Browse to the host in the inventory.
  2. Click Configure, then click Services under System.
  3. Manage the ESXi, SSH, or Direct Console UI services.
    1. In the Services pane, select the service.
    2. Click Edit Startup Policy and select the startup policy Start and stop manually.
    3. To activate the service, click Start.
    When you select Start and stop manually, the service does not start when you reboot the host. If you want the service to start when you reboot the host, select Start and stop with host.

What to do next

Set the availability and idle timeouts for the ESXi Shell. See Set Availability Timeout for the ESXi Shell Using the vSphere Client and Set Idle Timeout for the ESXi Shell Using the vSphere Client.

Activate Access to the ESXi Shell Using the DCUI

The Direct Console User Interface (DCUI) allows you to interact with the host locally using text-based menus. Evaluate whether the security requirements of your environment support activating the Direct Console User Interface.

You can use the Direct Console User Interface (DCUI) to activate local and remote access to the ESXi Shell. You access the Direct Console User Interface from the physical console attached to the host. After the host reboots and loads ESXi, press F2 to log in to the DCUI. Enter the credentials that you created when you installed ESXi.
Note: Changes made to the host using the Direct Console User Interface, the vSphere Client, ESXCLI, or other administrative tools are committed to permanent storage every hour or upon graceful shutdown. If the host fails before the changes are committed, they might be lost.

Procedure

  1. From the Direct Console User Interface, press F2 to access the System Customization menu.
  2. Select Troubleshooting Options and press Enter.
  3. From the Troubleshooting Mode Options menu, select a service to activate.
    • Enable ESXi Shell
    • Enable SSH
  4. Press Enter to activate the service.
  5. Press Esc until you return to the main menu of the Direct Console User Interface.

What to do next

Set the availability and idle timeouts for the ESXi Shell. See Set Availability Timeout or Idle Timeout for the ESXi Shell Using the DCUI.

Log in to the ESXi Shell for Troubleshooting

Perform ESXi configuration tasks with the vSphere Client, ESXCLI, or VMware PowerCLI. Log in to the ESXi Shell (formerly Tech Support Mode or TSM) for troubleshooting purposes only.

Procedure

  1. Log in to the ESXi Shell using one of the following methods.
    • If you have direct access to the host, press Alt+F1 to open the login page on the machine's physical console.
    • If you are connecting to the host remotely, use SSH or another remote console connection to start a session on the host.
  2. Enter a user name and password recognized by the host.