Pages

Friday, 5 February 2016

ESXi Shell, SSH and DCUI Timeout Settings in vSphere 6.0

Any user with the Administrator role can execute system commands using the ESXi Shell. If a user enables the ESXi Shell on a host, but forgets to log out of the session, the idle session remains connected indefinitely. The open connection can increase the potential for someone to gain privileged access to the host.

There are 2 timeout settings you should enable to control ESXi Shell and SSH sessions:
These are not new settings, these were present in ESXi5 as well.
ESXi Shell Availability – ESXiShellTimeOut– How long the ESXi Shell and SSH services will run. After this timeout interval service will be stopped automatically and one cannot connect with ESXi shell or SSH after this timeout.
Steps:-
1. Configure this timeout value from DCUI (You an even use vSphere Client, vSphere Web Client, PowerCLI)
2. Then after this timeout configuration, enable ESXi shell and SSH


Idle ESXi Shell Sessions – ESXiShellInteractiveTimeOut
– How long a shell session can remain inactive before being automatically terminated. This means sessions can be initiated again after this termination as this is just idle session timeout.

From DCUI:-


From vSphere Web Client:-



DCUI Timeout Setting:-
This is new in vSphere 6.0
 – How long a DCUI session can remain inactive before being automatically terminated

From DCUI:-


 From vSphere Web Client:-


There are different ways to configure these timeout settings, some in minutes and some in seconds:-
1. vSphere Client uses seconds
2. vSphere Web Client uses seconds
3. vSphere API PowerCLI uses seconds


To set these by PowerCLI use the Set-AdvancedSetting cmdlet – in the below example the ESXiShellInteractiveTimeout is set to to 5 minutes (300 seconds) on the host.

Get-VMHost esxi | Get-AdvancedSetting -Name'UserVars.ESXiShellInteractiveTimeout' | Set-AdvancedSetting -Value "300"


4. Direct Console User Interface (DCUI) uses minutes

No comments:

Post a Comment