Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH

July 25, 2017 09:14AM

Logging into SSH required in some of the common troubleshooting scenario or fetching information: ie  checking logs, telnet, ping, esxtop etc, Although subject title of this blog is mentioned Powercli, but I am showing all ways to enable SSH service on esxi including GUI as well, By default SSH server service is disabled on ESXi, VMware recommends the same for security best practices reason. For more on Esxi hardening follow this official guides. Whenever you need to login into Esxi directly through SSH (putty), this service (daemon) can be enabled using one of the method VMWare web client. 

Select Esxi server, go to Configure tab on the right side, collapse System and click Security Profile, here all required services are listed, SSH is is stopped. Press Edit button, 

vmware vsphere esxi, configure, Security profile, services, Edit services, SSH server and client , how to enable ssh on esxi server

In Edit Security Profile, select SSH daemon, service name from the list, down below expand Service Details, under status click Start button, and status will change to running. below screenshot is after starting service. Same procedure is used to stop it. Three types of startup policy exist.

Start and stop with host: If service is running it will start automatically once host is restarted. Same with if service is stopped, service status will persist with ESXi reboot.
Start and stop manually: This is self explanatory. service need to manually start or stop depending on status, Once Esxi is rebooted, service will be stopped. 
Start and stop with port usage: Start automatically if any ports are open, and stop when all ports are closed

vmware vsphere esxi, edit security profile, SSH daemon stopped running, start and stop manually, startup policy

Port status can be checked using withing Esxi firewall itself, make sure SSH port number 22 is open (by default it is open), If you are not able to putty also check physical firewall. Under Secure shell there are 2 option SSH server and SSH client. Server is esxi and used to connect. Client is once logged onto esxi you can use it as client to connect remote servers.

vmware vcenter esxi configure security profile firewall edit ssh server 22, allow connection from any ip web client

Next open putty and login to server and test server.

vmware vsphere esxi, putty how to ssh to esxi step by step guide, putty session, certificate rsa2 key accept, login as root.png


In this next tutorial I am using VMWare Powercli for starting and stopping SSH server, for Configuring and installing Powercli check my previous article VMWARE VSPHERE POWERCLI INSTALLATION AND CONFIGURATION STEP BY STEP

Once logged onto vcenter or esxi successfully. I will check the the status of TSM-SSH service on Esxi Server, In my case it is not running and says false.
Get-VMHostService -VMHost esxi001.vcloud-lab.com | Where-Object {$_.Key -eq 'TSM-SSH'}

To start it use this one-liner powercli command.
Get-VMHostService -VMHost esxi001.vcloud-lab.com | Where-Object {$_.Key -eq 'TSM-SSH'} | Start-VMHostService -Confirm:$false

vmware vsphere esxi vcenter, vmware powercli, get-vmhostservice, where-object tsm-ssh, Policy, Stop-VMHostService

Powershell and $profile, microsoft.powershell_profile.ps1 module path environment $env psmodulepath -split, modules powershell, windows powershell.pngIt is my daily task to login to esxi for troubleshooting or getting information, and each time I don't want to run above long one liner commands, Instead for my preference I have created below functions and copied it in powershell profiles. Profiles are startup script, whenever you open new powershell console by default it will execute those profile script and save in console memory. Run command $PROFILE to know the the profile file path. For ISE this path is different. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
function Start-SSHService {  
   [CmdletBinding()]  
  #####################################   
  ## http://vcloud-lab.com
  ## Version: 1   
  ## Tested this script on successfully  
  ## 1) Powershell v3   
  ## 2) Windows 7
  ## 3) vSphere 5.5 (vcenter, esxi, powercli)
  #####################################   
  Param (  
     [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)]  
     [ValidateNotNullOrEmpty()]  
     [Alias("Name")]  
     [string]$VMHost  
   )  
   begin {}  
   Process {  
     $AllServices = Get-VMHostService -VMHost $VMHost   
     $SShService = $AllServices | Where-Object {$_.Key -eq 'TSM-SSH'}   
     if ($SShService.running -eq $false) {  
       $SShService | Start-VMHostService -confirm:$false  
     }  
     else {  
       Write-Host -BackgroundColor DarkGreen -Object "SSH service on $VMHost is already running"  
     }  
   }  
   end {}  
 }  

function Stop-SSHService {  
  #####################################    
  ## http://vcloud-lab.com   
  ## Version: 1    
  ## Tested this script on successfully   
  ## 1) Powershell v3    
  ## 2) Windows 7  
  ## 3) vSphere 5.5 (vcenter, esxi, powercli)  
  #####################################   
   [CmdletBinding()]  
   Param (  
     [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)]  
     [ValidateNotNullOrEmpty()]  
     [Alias("Name")]  
     [string]$VMHost  
   )  
   begin {}  
   Process {  
     $AllServices = Get-VMHostService -vmhost $VMHost   
     $SShService = $AllServices | Where-Object {$_.Key -eq 'TSM-SSH'}   
     if ($SShService.running -eq $true) {  
       $SShService | Stop-VMHostService -confirm:$false  
     }  
     else {  
       Write-Host -BackgroundColor darkGreen -Object "SSH service on $VMHost is already stopped"  
     }  
   }  
   end {}  
 }  

Once Profiles are loaded or opened powershell, I can simply run below oneliner smaller commands to do their jobs.
Start-SSHService -VMHost Esxi001.vcloud-lab.com               #To start service
Stop-SSHService  -VMHost Esxi001.vcloud-lab.com               #To stop service


This is third technique you can use to enable or disable SSH service as well as esxi shell. Login to DCUI (Direct console user interface), This is accessible when in front of the server physically or through medium of remote console ie Dell Rac., log in into pressing F2 button.

VMware esxi command line, dcui direct console user interface, login name f2, authentication password.png

Scroll to Troubleshooting Options, go to enable SSH hit enter to change it, It will either enable or disable according to current state.

vmware esxi, dcui, direct console user interface, Troubleshooting options, disable, Enable Esxi Shell.png

Go Back

Comment