I performed security hardening on an ESXi 5 host (test area), and I cannot figure out what portion of it is completing stopping the ESXi shell service to keep stopping. Lockdown mode is not enabled, the SSH service is running when I look at the GUI and when I F2 and login via the DCUI it shows that the "ESXi Shell is Enabled. Under that same area it shows "SSH is Enabled", and under the firewall, SSH server is checked and running.
I'm hoping someone knows exactly what it is, of course I changed some of the files sshd_config and such, but I don't if that is affecting this. This isn't causing an issue since it's just a test host, but I after going through all those pages, I just can't figure out what is stopping this.
I need to make a correction. When I log into the DCUI under "Troubleshooting Mode Options" even if I Enable ESXi Shell here, in a second or two, it gets set back to disabled.
Did you modify the ESXiShellInteractiveTimeOut or ESXiShellTimeOut options? These settings can reset a manually enabled shell. Check the values with these commands:
# esxcfg-advcfg -g /UserVars/ESXiShellInteractiveTimeOut
# esxcfg-advcfg -g /UserVars/ESXiShellTimeOut
Also see:
http://blogs.vmware.com/vsphere/2012/09/vsphere-5-1-new-esxishellinteractivetimeout.html
Did you modify the ESXiShellInteractiveTimeOut or ESXiShellTimeOut options? These settings can reset a manually enabled shell. Check the values with these commands:
# esxcfg-advcfg -g /UserVars/ESXiShellInteractiveTimeOut
# esxcfg-advcfg -g /UserVars/ESXiShellTimeOut
Also see:
http://blogs.vmware.com/vsphere/2012/09/vsphere-5-1-new-esxishellinteractivetimeout.html
Thanks, I did set the ESXiShellTimeout to 15 minutes, but it's not the problem. I actually have two hosts that have been STIG'd, but for some reason I can connect to one, but not the other. I'll really look through the guide again, I had to have set something up incorrectly.
OH my...thank you. Without a doubt, the timeout was set to 15 minutes, I just looked at it and responded, but I decided to just disable the value, so I set it back to 0. Well, that did it. I can't believe it. I definitely had it at 15 minutes, not 1 or anything. Because the timeout was at 15 minutes, I probably would not have thought it about until you brought it up. I did patch one of the hosts and not the other, so maybe there is something in the patch notes. Thank you so much.
I think I vaguely remember some inconsistency about how these values are interpreted, in minutes or seconds.
This article talks about seconds too:
http://www.punchingclouds.com/2012/10/24/managing-multiple-terminal-session-timeouts-for-esxi/
Can you test that?
Wow, talk about feeling like an idiot. The timeout value is in seconds, I'll be taking that remedial VMware class now.