SSH Security in ESXi

The ESXi Shell interface and the SSH interface are deactivated by default. Keep these interfaces deactivated unless you are performing troubleshooting or support activities. For regular activities, use the vSphere Client, where activity is subject to role-based access control and modern access control methods.

SSH Configuration in ESXi

The SSH configuration in ESXi uses the following settings.

Version 1 SSH protocol deactivated: VMware does not support Version 1 SSH protocol and uses Version 2 protocol exclusively. Version 2 eliminates certain security problems present in Version 1 and provides you with a safe way to communicate with the management interface.
Improved cipher strength: SSH supports only 256-bit and 128-bit AES ciphers for your connections.

These settings are designed to provide solid protection for the data you transmit to the management interface through SSH. You cannot change these settings.

ESXi SSH Keys

SSH keys can restrict, control, and secure access to an ESXi host. An SSH key can allow a trusted user or script to log in to a host without entering a password.

You can use HTTPS PUT to copy the SSH key to the host.

Instead of generating the keys externally and uploading them, you can create the keys on the ESXi host and download them. See the VMware knowledge base article at https://kb.vmware.com/s/article/1002866.

Enabling SSH and adding SSH keys to the host has inherent risks. Weigh the potential risk of exposing a user name and password against the risk of intrusion by a user who has a trusted key.

Upload an SSH Key Using HTTPS PUT

You can use authorized keys to log in to a host with SSH. You can upload authorized keys with HTTPS PUT.

Authorized keys allow you to authenticate remote access to a host. When users or scripts try to access a host with SSH, the key provides authentication without a password. With authorized keys you can automate authentication, which is useful when you write scripts to perform routine tasks.

You can upload the following types of SSH keys to a host using HTTPS PUT:

Authorized keys file for root user
DSA key
DSA public key
RSA key
RSA public key

Important: Do not modify the /etc/ssh/sshd_config file.

Procedure

In your upload application, open the key file.

Publish the file to the following locations.

Type of key	Location
Authorized key files for the root user	https://`hostname_or_IP_address`/host/ssh_root_authorized_keys You must have full administrator privileges on the host to upload this file.
DSA keys	https://`hostname_or_IP_address`/host/ssh_host_dsa_key
DSA public keys	https://`hostname_or_IP_address`/host/ssh_host_dsa_key_pub
RSA keys	https://`hostname_or_IP_address`/host/ssh_host_rsa_key
RSA public keys	https://`hostname_or_IP_address`/host/ssh_host_rsa_key_pub