10 Replies Latest reply: Sep 7, 2011 11:26 AM by Dracolith RSS

    How to disable alarm about enabled shell access...

    vlho Hot Shot

      Hi all,

       

      I had problem in vCenter Server 5.0.  Poisonous (for me) alert /warning about fact than I have enable local and remote shell.

      See picture below...

       

      Solution? Disable this by setup:

      Configuration - Software - Advanced Settings - UserVars - UserVars.SuppressShellWarning  = 1

      Oof...

       

      Alert.jpg

        • 1. Re: How to disable alarm about enabled shell access...
          DSTAVERT Guru User Moderators

          Are you wanting to disable the warning or disable console and SSH access? You can disable the SSH and Console access from the DCUI (yellow screen) or the vSphere Client. I believe that if you restart the HOST the warning will go away. Try restarting the management agents??

          • 2. Re: How to disable alarm about enabled shell access...
            vlho Hot Shot

            Hi DSTAVERT,

             

            I want and I need to enable local and remote shell access.
            I don't want to show warning for these.  
            After restart of management agents or restart of esxi 5.0 warning is shown again.
            I know that restart works in vSphere 4.x but only my tip helps in version ESXi 5.0!

            Try it and you'll see ...

            • 3. Re: How to disable alarm about enabled shell access...
              Nithin Krishnan Expert VMware Employees

              Steps

              - Press F2 and Enter in to the Direct console access

              - In the menu go to trouble shooting option and press enter to go to sub menu

              - Enable SSh and ESXi Shell

              - Restart the management agent. This should enable ssh and Local shell for you

               

              thanks

              Nithin

              • 4. Re: How to disable alarm about enabled shell access...
                vlho Hot Shot

                Hi nkrishnan,

                 

                please read my messages again.

                It was not question, it was solution to: How to disable alarm...

                Maybe for you.

                 

                Thanks.

                • 6. Re: How to disable alarm about enabled shell access...
                  RParker Guru

                  That only works for vSphere 5.  I tried to find this a few months back, and I *KNOW* this option was not there before.  So this definately a NEW feature, 4.1 can't turn them off.

                  • 7. Re: How to disable alarm about enabled shell access...
                    DSTAVERT Guru User Moderators

                    Do understand that the alert is intended as a safety feature. SInce SSH and console access increases ESXi host vulnerability having the Alarm notification visible makes admins aware of that increased vulnerability. Many, many orgainzations do not allow unrestricted console or shell access.

                    • 8. Re: How to disable alarm about enabled shell access...
                      RParker Guru

                      DSTAVERT wrote:

                       

                      Do understand that the alert is intended as a safety feature. SInce SSH and console access increases ESXi host vulnerability having the Alarm notification visible makes admins aware of that increased vulnerability. Many, many orgainzations do not allow unrestricted console or shell access.

                       

                      agree with the whole security implementation.. but in ESX 4.1 having console is basically the same vulnerability, and now that ESXi is going to be the future, simply enabling the console feature results in annoying reminders.. so basically we want to maintain the same consistent access without the nuiscance reminders.. So I feel for people that need this funtionality.

                       

                      I ended up turning it off (SSH console access), because it's been a problem that it reminds you each time, therefore we need a way to supress them.. even if we are leaving our selves open, it should still be possible to at least turn the reminders off.. I am glad they have implemented this ability in 5.0, becuase it has been a REAL annoyance.

                      • 9. Re: How to disable alarm about enabled shell access...
                        DSTAVERT Guru User Moderators

                        I too intend to disable the alert since I answer only to myself and I have the management network isolated behind it's own router/firewall with VPN only access.

                         

                        I do believe though that since it is far easier in vSphere 5 to enable access and to only enable it for a specified interval it that the vast majority of users would be ill advised to summarily disable those alerts. Considering that most corporations have security and auditing policies it may have been better to have made disabling the alert a little more difficult.

                        • 10. Re: How to disable alarm about enabled shell access...
                          Dracolith Enthusiast

                          DSTAVERT wrote:

                          I do believe though that since it is far easier in vSphere 5 to enable access and to only enable it for a specified interval it that the vast majority of users would be ill advised to summarily disable those alerts. Considering that most corporations have security and auditing policies it may have been better to have made disabling the alert a little more difficult.

                          I consider it an issue to have it disabled. SSH access utilizes a separate daemon, and often works,  even when management services failed.

                          And vSphere5 has brought us the ESXi firewall, which allows us to enable remote shell and still  heavily restrict access to actually connect to it,

                          as long as we are careful about Layer3 and Layer2 network security in our environment..

                           

                          Here's why it's such a big issue to not have the 'ESXi shell'  always on as backup:

                          the functionality exists as a troubleshooting option to help solve certain problems.

                          Given its utility, ease, and convenience for that function,  compared to all the cumbersome

                          or inconvenient alternatives VMware has offered, it's silly/arbitrary to not have that option.

                           

                          There are reasons SSH and the command line interface of Linux systems are so popular.

                          Whether VMware acknowledges it or not,  the availability of a ESXi shell, a command line interface

                          _directly_ via SSH/console on the hosts is a huge selling point over Hyper-V  (IMO).

                           

                          I just wish they'd add  serial port access to  the ESXi shell.

                          One of the types of problems that can frequently arise is the normal management agents can fail,   for example,  the  daemon

                          that allows you to connect with the  vSphere client and the vSphere API can fail.

                           

                          As experience has shown with vSphere4,  this was probably the number 1  most common issue I had with ESXi,

                          and the most common reason for me to ever need connect via  troubleshooting console was to restart the management services,

                          or fix  the vSwitch  so that networking would start functioning again.

                           

                          Often even the console DCUI would be inoperative or unavailable for one reason or another (probably some sort of host resource consumption thing)

                           

                          Rebooting the host is certainly not desirable,  nor is trying to get  someone access to the server room, pray DCUI is working,

                          and hope the remote hands can follow directions properly.