VMware Cloud Community
mwerber
Contributor
Contributor

How to Configure SSH/Console Timout in ESXi 5

Hi All,

I am trying to set a console / Tech Support Mode / SSH idle-session timeout and, so far, have had no luck.

From within vCenter, I have gone to ESX Host -> Configuration -> Advanced Settings -> UserVars -> UserVars.ESXiShellTimeout and set this to a value of "5". I then rebooted the ESXi host and confirmed that the timeout value 'stuck' with the host - which it did.

Next, I connected to the host with Putty via SSH, and I also logged in directly via the console to TSM.

The configuration screen describes the timeout value as being in seconds. I've waited for both five seconds and five minutes - and my shell & TSM sessions have not been disconnected. I also tried a simple "export TMOUT=5" from the console, without success.

Does anyone have any advice?

Your help is much appreciated.

~MW

Reply
0 Kudos
9 Replies
Troy_Clavell
Immortal
Immortal

have you tried restarting the managment agents?

Reply
0 Kudos
mwerber
Contributor
Contributor

Thank you for the advice. I was under the impression restarting the ESXi 5 host would also restart the management network.

I just finished restarting the Management Agents via the 'admin' (F2) screen from the console. This does not seem to have worked.

Let me qualify my question with the fact that I'm running ESXi 5 in Workstation 8 and that I am not an experienced VMWare administrator.

Thanks again.

Reply
0 Kudos
Troy_Clavell
Immortal
Immortal

when you F2 to login, you'll arrow down to "Troubleshooting Options" Then to "Restart Managment Agents"  This is different then "Restart Managment Network".  I"m not saying it will work, but that would be the first thing I would try.  It appears you have the settings configured properly.

Reply
0 Kudos
mwerber
Contributor
Contributor

Troy,

Thanks again for the info. The first time around, I did restart the Management Network, as opposed to the Management Agents.

However, restarting the Management Agents has still not helped.

At this point, I'm going to reset the host to default settings and reconfigure the timeout through vCenter as I did the first time. Maybe something I did along the way is interfering with this setting.

Thanks again. When I have time, I'll post results.

Reply
0 Kudos
mwerber
Contributor
Contributor

The following was unsuccessful:

1) Using 'F2' options from the ESXi 5 console, I performed a 'Reset System Configuration' and rebooted the host

2) Using 'F2' options from the console, I enabled ESXi Console and ESXi Shell from the Troubleshooting Options menu.

3) Using vSphere, I configured Advanced Settings -> UserVars -> ESXiShellTimeout to a value of '20' - which, according to the GUI, is in seconds.

4) Using 'F2' options from the console, I restarted the Management Agents from the Troubleshooting Options menu

5) Logged in to ESXi directly via console, waited 20 seconds (and 20 minutes), without session being disconnected.

6) Logged in to ESXi via Putty/SSH, waited 20 seconds (and 20 minutes), without session being disconnected.

7) Confused

😎 Verified via vSphere that the timeout setting I set in Step 3 was still set to '20'

Any suggestions?

Reply
0 Kudos
m_grewnow
Contributor
Contributor

Were you ever successful in having ssh timeout?  I performed many of the same steps as you and could never have ssh timeout...  Not only irritating in the fact it does not work is that some documentation, VMware's own, states to set it in minutes where as the actual advanced settings interface clearly states seconds.

Can anyone confirm this setting actually functions properly?  Thanks.

Reply
0 Kudos
mwerber
Contributor
Contributor

No, never got it. Haven't tried since those posts. I agree, frustrating - especially as an it auditor!

Sent from my iPhone

Reply
0 Kudos
etolsen
Contributor
Contributor

Although I didn't validate the following, this may be the source of your frustration.

This is the VMware documented result of setting the UserVars.ESXiShellInteractiveTimeOut:

"If you are logged in when the timeout period elapses, your session will persist. However, after you log out or your session is terminated, users are not allowed to log in"

Note the first sentence...the session is persistent (no timeout) when open.  This statement as well as the second sentence implies that the session connection must be terminated for the ESXiShellInteractiveTimeOut to be effective.

As such, if your attempting to close an inactive session, the following is recommended by VMware:

VMware vSphere 5.1

You can set a timeout for idle vSphere Client sessions. This allows you to close sessions automatically, which reduces the potential for unauthorized users to access vCenter Server.

On each Windows system where the vSphere Client is installed, verify that an idle timeout is set.

You can specify the idle timeout as a parameter in the vpxClient.exe.config file (typically, C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe.config).

Alternatively, advise users to run the vSphere Client executable with a flag set for the timeout value (for example, vpxClient.exe -inactivityTimeout 5, where 5 is five minutes).

This client-side setting can be changed by the user. After you set the default timeout value, periodically audit the configuration file.

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Often this is controlled by the SSH server itself not the shell. You can also be controlled by the client...

Check out https://docs.oseems.com/general/application/ssh/disable-timeout/

There is always more than one way to handle a security control.

Best regards,
Edward L. Haletky aka Texiwill
VMware Communities User Moderator, VMware vExpert 2009-2017

Virtualization and Cloud Security Analyst: TVP Strategy

Blue Gears Blog: vSphere Upgrade Saga

Podcast: Virtualization and Cloud Security Round Table Podcast

GitHub: https://github.com/Texiwill

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos