VMware vSphere ESXi Shell Time out settings

Any user with the Administrator role can execute system commands (such as vmware -v) using the ESXi Shell. If a user enables the ESXi Shell on a host, but forgets to log out of the session, the idle session remains connected indefinitely. The open connection can increase the potential for someone to gain privileged access to the host.

There are 2 timeout settings you should enable to control ESXi shell sessions:

  1. ESXi Shell Availability – ESXiShellTimeOut
    – How long the ESXi Shell and SSH services are allowed to run
  2. Idle ESXi Shell Sessions – ESXiShellInteractiveTimeOut
    – How long a shell session can remain inactive before being terminated.

There are different ways to configure these timeout settings, some in minutes and some in seconds.

  1. vSphere Client uses seconds
  2. vSphere Web Client uses seconds
  3. vSphere API PowerCLI uses seconds
  4. Direct Console User Interface (DCUI) uses minutes

The maximum timeout value allowed is 24 hours, 1440 minutes, or 86400 seconds.

The ESXi Shell (formerly Tech Support Mode or TSM) is disabled by default on ESXi. You can enable local and remote access to the shell if necessary.

  • ESXi Shell – Enable this service to access the ESXi Shell from the local Keyboard, Video, Mouse (KVM) console.
  • Secure Shell (SSH) –  Enable this service to access the ESXi Shell remotely using the SSH protocol over the network TCP/IP Port 22.
  • Direct Console UI (DCUI) – When you enable this service while running in lockdown mode, you can log in locally to the Direct Console User Interface (DCUI) as a user with the DCUI Access privilege and disable lockdown mode or enable shell access.

Only users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.

https://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.security.doc/GUID-A1D310D7-F00B-4827-9469-EC2C318A0C30.html

Here are some screenshots with examples for reference:

Web Client

Image

 

 

Image

 

DCUI

Image

 

PowerCLI

Use PowerGUI from Dell / Quest to make working with PowerCLI and PowerShell easier.

https://vmsec.wordpress.com/2014/06/13/powershell-powercli-powergui-microsoft-windows-cloud-automation-tools-for-vmware-vsphere-administrators/

To set these by PowerCLI use the Set-AdvancedSetting cmdlet – in the below example the ESXiShellInteractiveTimeout is set to to 5 minutes (300 seconds) on the host esx01:

Get-VMHost esxi | Get-AdvancedSetting -Name 'UserVars.ESXiShellInteractiveTimeOut' | Set-AdvancedSetting -Value "300" -Confirm:$false

 

Image

 

Many thanks to Sam McGeown for his great page with all these details:  http://www.definit.co.uk/2013/10/vsphere-security-advanced-ssh-configurations/#more-2026


 

4 thoughts on “VMware vSphere ESXi Shell Time out settings

  1. Thanks for the info. Could you give the PowerCLI command for all the esxi hosts? I can’t get the following to work:
    (Get-VMHost | Foreach) | Get-AdvancedSetting -Name ‘UserVars.ESXiShellInteractiveTimeout’ | Set-AdvancedSetting -Value “900” -Confirm:$false

  2. There’s a typo. it should be ‘UserVars.ESXiShellInteractiveTimeOut’, rather than ‘UserVars.ESXiShellInteractiveTimeout’. the “O” in “TimeOut” needs to be capitalized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s