VMware Cloud Community
Ling80
Contributor
Contributor
‎09-11-2017 09:34 PM

technical advice required on ESXiShellInteractiveTimeOut security setting

Hi Team,

need technical and expertice advice here.

I saw there is  new security feature recommended since Vmware vpshere 5.5 which is the

possiblity to "create Timeout for Idle ESXi Shell Sessions "

by go to  UserVars.ESXiShellInteractiveTimeOut field, enter the availability timeout setting.

this helps increase the security where if user login the ESXi Shell on a host via putty, but forgets to log out of the session,

the idle session remains connected continuously.

The open connection can increase the potential for unauthorized access.

but my engineering team has rejected my idea on this . reason they given is that

sometimes admnistrator use SSH (using putty)sessions to copy data (VMs, memory dumps) and etc.

it said during this activity there is no key-strokes are being sent to session

andd therefore the session will be terminated. it caused the process running behind got interrupted and stopped

Is that true that background process running behind such as copy data will be terminated

due to the exit of the putty/esxi shell session after the timed out session ? I thought it is indepedent?

hope to get expertise explaination and confirmation on this area.

your help is much appreciated.

https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-A1D310D...

0 Kudos
3 Replies
mhampto
VMware Employee
VMware Employee
‎09-18-2017 01:25 PM

After talking to some of the team here, the SSH timeout at this time will close sessions at the the set time regardless of activity.

0 Kudos
senthilkumarms8
Enthusiast
Enthusiast
‎09-18-2017 08:55 PM

Your background process such as copying data and other processes will not be terminated. only the user logon session will be disconnected

0 Kudos
Sundararajan
Enthusiast
Enthusiast
‎09-19-2017 12:13 AM

The ESXi Shell timeout setting specifies how long you can leave an unused session open. By default, the timeout for the ESXi Shell is 0, which means the session remains open even if it is unused. If you change the timeout, for example, to 30 minutes, you have to log in again after the timeout period has elapsed.

The unit of measurement for the timeout is seconds in the ESXi Shell and minutes in the vSphere Client.

Note If you are logged in when the timeout period elapses, your session will persist. However, the ESXi Shell will be disabled, preventing other users from logging in.

0 Kudos