hkito
Enthusiast
Enthusiast

SHH should be enabled ?

Jump to solution

Hi,

SSH should keep enabled or not in VM host ?

Or just enable it if needed ?

Thanks

0 Kudos
1 Solution

Accepted Solutions
npadmani
Virtuoso
Virtuoso

two ways to check it.

1) DCUI -> Troubleshooting Options

2) login directly in your ESXi host using vSphere client and go to Configuration -> Security profile. (provided that your host didn't have Lockdown mode enabled)

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

View solution in original post

0 Kudos
7 Replies
admin
Immortal
Immortal

Hi,

Its advised to have the SSH disabled by default and enabled only when needed. That is the reason why you see a warning to come up on ESXi summary tab when SSH is enabled.

--Avinash

0 Kudos
hkito
Enthusiast
Enthusiast

Hi,

But once host can't be access through vCenter, how do I check it if through SSH not enabled ?

Thanks

0 Kudos
npadmani
Virtuoso
Virtuoso

two ways to check it.

1) DCUI -> Troubleshooting Options

2) login directly in your ESXi host using vSphere client and go to Configuration -> Security profile. (provided that your host didn't have Lockdown mode enabled)

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
0 Kudos
admin
Immortal
Immortal

Hi,

Since the host is not responding in vCenter server, try launching a vsphere client to esxi host directly. if still fails

you could use KVM or DCUI -- troublshooting options -- enable ssh.

--Avinash

0 Kudos
hkito
Enthusiast
Enthusiast

I have an experience that vCenter can't connect to host, otherwise can't manage through DCUI (freezed).

  • VM "disconnected" (no vmotion to other hosts) but available to VNC / connect
  • Host "not responding"

Under this siutation, anyway to check or fix ?


Thanks

0 Kudos
admin
Immortal
Immortal

Hi,

I suspect a a storage issue and management agents are hung. you need to look into the logs.

vmkernel and hostd.

-- Avinash

0 Kudos

I strongly disagree with the opinion that SSH should be disabled by default. That opinion is both arbitrary and fails to take into account the overall security of the Management Network.

  1. SSH is encrypted
  2. SSH will be required for most support situations
  3. Enabling SSH for ESXi takes time (may be 30 seconds, may be several minutes - depending on how you go about enabling it)

Bottom line is that, when my management network is itself insecure, than enabling SSH by default may not be a good idea. If, however,  my management network exists in a bunker underground somewhere and is not connected to the internet and/or other networks, SSH should not be a vulnerability!

Furthermore, as an administrator, my mission (and a large part of the purpose of vSphere) is to make my organizations mission-critical applications as available as possible. Given a secure Management Network, if there were to be a vSphere outage affecting mission-critical services, I believe it is contraindicated to take any extra time at all in order to enable SSH and begin the diagnosis/recovery process!

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
0 Kudos