The ESXi Shell interface and the SSH interface are deactivated by default. Keep these interfaces deactivated unless you are performing troubleshooting or support activities. For regular activities, use the vSphere Client, where activity is subject to role-based access control and modern access control methods.
SSH Configuration in ESXi
The SSH configuration in ESXi uses the following settings.
- Version 1 SSH protocol deactivated
- VMware does not support Version 1 SSH protocol and uses Version 2 protocol exclusively. Version 2 eliminates certain security problems present in Version 1 and provides you with a safe way to communicate with the management interface.
- Improved cipher strength
- SSH supports only 256-bit and 128-bit AES ciphers for your connections.
These settings are designed to provide solid protection for the data you transmit to the management interface through SSH. You cannot change these settings.
ESXi SSH Keys
SSH keys can restrict, control, and secure access to an ESXi host. An SSH key can allow a trusted user or script to log in to a host without entering a password.
You can use HTTPS PUT to copy the SSH key to the host.
Instead of generating the keys externally and uploading them, you can create the keys on the ESXi host and download them. See the VMware knowledge base article at https://kb.vmware.com/s/article/1002866.
Enabling SSH and adding SSH keys to the host has inherent risks. Weigh the potential risk of exposing a user name and password against the risk of intrusion by a user who has a trusted key.
Upload an SSH Key Using HTTPS PUT
You can use authorized keys to log in to a host with SSH. You can upload authorized keys with HTTPS PUT.
- Authorized keys file for root user
- DSA key
- DSA public key
- RSA key
- RSA public key
Procedure
- In your upload application, open the key file.
- Publish the file to the following locations.
Type of key Location Authorized key files for the root user https://hostname_or_IP_address/host/ssh_root_authorized_keys You must have full administrator privileges on the host to upload this file.
DSA keys https://hostname_or_IP_address/host/ssh_host_dsa_key DSA public keys https://hostname_or_IP_address/host/ssh_host_dsa_key_pub RSA keys https://hostname_or_IP_address/host/ssh_host_rsa_key RSA public keys https://hostname_or_IP_address/host/ssh_host_rsa_key_pub