ssh2 6 ways.docx

7/25/2019 ssh2 6 ways.docx

1/21

6 ways to enable SSH on an ESXi hostPosted on 18/01/2011by Remon Lam No Comments

UP!"E# $i% than&s to E'i( Sloo)* !'ne +o&&ema* !lan Reno,) an- .illiam Lam

"hey hae ointe- my at th'ee a--itional ways to t,'n on SSH* hae a--e- them

to this ost to ma&e it een mo'e (omlete* than&s %,ys333

Yeah I know, there are many blog post out there that describe how to enable SSH on an ESXi

host, so why write another one? ell actually I ha!e two reasons "or it, #rst there are se!eral

ways to enable SSH and secondly I want to talk about the conse$uences when you

enable SSH, because I think it need some more attention than %ust show you how to enable

it&

So I decided to dig a little bit "urther in this matter, and pro!ide you with some e'tra

in"ormation, and hope"ully some guidance to lea!e SSH turned on or o(, but we will get back

on that sub%ect later in this post&

)ike most o" you already know it*s possible to access an ESX +classic host through SSH with

help o" Putty or some other kind o" SSH application, and login to the Ser!ice -onsole&

.ut with the introduction o" /0ware ESXi this ha!e changed a little bit, because the ESXi

host won*t ha!e a Ser!ice -onsole, there*s no way to login with SSH, or is it? )ucky "or us

ESXi still ha!e a so called .usybo' +a !ery small 1Ser!ice -onsole2 but !ery limited

in "unctionality so with some tweaks it is still possible to use SSH "or accessing an ESXi*s

host, but remember it*s not the "ull blown Ser!ice -onsole like ESX ha!e&

Since the release o" !Sphere 3&4 it is possible to enable SSH aka 15emote 6ech Support2 !ia

the !Sphere -lient to make it a lot easier to enable SSH, more about his in option two&

4tion 1# enable Remote "e(h S,o't 5SSH ia theCU

Enabling 5emote 6ech Support +SSH is ideal production systems, because you can enable

it and lea!e it turned on "or an ' amount o" time, and a"ter the time out SSH is beingdisabled automatically, so the system is secure again& 7ne small drawback is that you need

to ha!e either a physical console access or a i)7, 859- or some other remote console

access&

I" you*re running !Sphere 3&4 you can also enable this !ia the !Sphere -lient, see option two

"or more details&
http://www.virtualclouds.info/3-ways-to-enable-ssh-on-an-esxi-host/http://www.virtualclouds.info/3-ways-to-enable-ssh-on-an-esxi-host/http://www.virtualclouds.info/author/remon-lam/http://www.virtualclouds.info/3-ways-to-enable-ssh-on-an-esxi-host/#respondhttp://www.virtualclouds.info/author/remon-lam/http://www.virtualclouds.info/3-ways-to-enable-ssh-on-an-esxi-host/#respondhttp://www.virtualclouds.info/3-ways-to-enable-ssh-on-an-esxi-host/


2/21

7nce you ha!e direct console access to the 8-:I o" the ESXi ser!er you*re able

to enable 5emote 6ech Support +SSH on the ESXi host, but #rst you need to login with the

right credentials, in most cases this will be the root account&

You will #nd the 5emote 6ech Support option under the "'o,bleshootin% 4tions&


3/21

Select Enable Remote "e(h S,o't 5SSHto enable the SSH ser!ice, be patient because

it will take some time to enable it, i" you press Enter twice you will disable 5emote 6ech

Support ;


4/21

9"ter a "ew second 5emote 6ech Support should be enabled, i" not press the Enter key one

more time until you see a screen as shown abo!e& Sometimes it can be hard to enable it

through the 8-:I especially when using i)7, but maybe that*s because I*m not patient

enough ;


5/21

6o enable a timeout on which the SSH ser!ice is turned on, select 7o-i)y "e(h S,o't

"imeo,t, and hit Enter to continue, this option is not re$uired, it can be use"ul to pro!ide

someone access to the ESXi host "or %ust a "ew minutes=hours& I recommend you to

always set this time out on production systems, because you can*t "orget to turn i" o( again&


6/21

Enter any !alue between 0 5e'oand 5one -ay 1990 min,tes+where >ero is to disable

it, and 433 is the ma'imum to enable the SSH time out, press Enter to acti!ate it&

6o test i" it*s working, you can use Putty to connect to the ESXi host&


7/21

7nce you*re enabled the 5emote 6ech Support "eature you will recei!e a message within the!Sphere -lient +both i" your directly connected to a ESXi host or through the !-enter Ser!er

indicating that 5emote 6ech Support 0ode is enabled& Personally I like this noti#cation,

because it will remind you that SSH is still enabled, so you can*t "orget to turn it o( ;


8/21

7nce you logged in, select the ESXi host on which you want to enable SSH, and click on

the Con:%,'ationtab, in the So"tware screen click on Se(,'ity P'o:le& In

the Ser!ices #eld click on P'oe'ties&


9/21

Select the ser!ice; Remote "e(h S,o't 5SSHand click on 4tions&

-lick on Start to enable the 5emote 6ech Support +SSH ser!ice, you can lea!e the Start


10/21

7nce you ha!e enabled the 5emote 6ech Support 0ode you will recei!e a message on the

ESXi host, that the ser!ice is enabled&

7ne +small drawback o" this method is, that it isn*t possible to use a timeout on the SSH

ser!ice directly within the Ser!ices screen, to enable the timeout you need to go

to So)twa'e=!-an(e- Settin%s&

Select; Use';a'sand enter the re$uired timeout !alue in

theUse';a's"S7"ime4,t+note; the timeout is in seconds, in my e'ample I ha!e

con#gured a timeout o" B minutes CD 4 seconds click on 7A to enable the timeout

"eature&

4tion


11/21

6his is a more old school way o" turning on the SSH ser!ice, i" I remembercorrectly this

procedure is still more or less the same since /0ware ESXi B, but correct me i" I*m wrong

here&

:n"ortunately to get this working you need to ha!e a direct console access or !ia i)7,859- to open the console on the ESXi host&

7ne other +big drawback is that you won*t know i" the SSH ser!ice is enabled or not, unlike

the two other ways there*s no warning message in !-enter that will let you know i" SSH is

enabled, so in my opinion this is not a great way to turn on SSH on production ESXi hosts,

but could be use"ul "or e'ample in )abs where you want to ha!e $uick access to the ESXi

host&

7nce you ha!e access to the console, press !L" > +1to access the console +.usybo', and

login with the'ootcredentials&


12/21

I" you recei!e a message like the one abo!e here, you need to enable )ocal 6ech Support,

standard this is turned o( so you need to turn it on be"ore you can access the console o" the

.usybo'&

Press !L" > +2to get back to the ESXi 8-:I console +the yellow


13/21

Select in the menu Enable Lo(al "e(h S,o'tand hit Enter to enable this "unction, this

could take some time be"ore the ser!ice is enabled, so be patient otherwise you disable the

"unction ;


14/21

@ow you ha!e enabled )ocal 6ech Support, lets get back to the console o" the .usybo'

by pressing !L" > +1keys&

)ogin with the 'ootaccount&


15/21

Edit the inet-(on)#le located in /et(/inet-(on), in this e'ample I use the /I editor&

7nce the #le is opened in the /I editor, press the nse'tkey to edit theinet-(on)#le&


16/21

8epending on i" you*re use IP!3 or IP!F you need to edit the correct line, "or IP!3 you

need to edit the ?sshline and remo!e the ?to enable the ssh ser!ice in the con#guration

#le& Press on Es(and e'it with the command #w@&

6he SSH ser!ice will only start until the inetd reads it*s changed con#guration #le, this can

be done by rebooting the ESXi host, or e!en better by restarting the inetd process& 6o do so

we #rst need to ha!e the process id o" inetd, this can be done by e'ecute the "ollowing

commandG s A %'e inet-you will recei!e a number which is the process id o" inetd, in my

case the process id is 3F&

6o kill the inetd process, e'ecute the commandG &ill Bh, 9860+where 3F is the process

id o" inetd&


17/21

I" e!erything is working #ne you should be able to access the ESXi host !ia SSH, like in the

e'ample abo!e I accessed the ESXi host !ia Putty and I*m able to login with the root

account& 8on*t "orget to disable it once your work has been done ;


18/21

6o enable it you can e'ecute this line o" code;

etB;7Host A +o'ea(h D Sta'tB;7HostSe'i(e BHostSe'i(e 5F A etB;7HostSe'i(e A .he'e D FGey Be@ "S7BSSHIJ J

9s you can see here abo!e the ser!ice is now started&

4tion K# Enable SSH with hel o) a Pe'l s('it

9lso a big thanks to illiam )am o!er at /irtuallyhetto&com,he has written a !ery cool perl

script to enable ser!ices, on one or multiple ESXi hosts which can be run "rom the !Sphere-)I or the !09&

9s mentioned here abo!e this script can be run "rom the !09 or the !Sphere -)I, in this

e'ample I run it locally "rom my notebook through the !Sphere -)I, but it works the same on

the !09&
http://www.virtuallyghetto.com/http://www.virtuallyghetto.com/http://www.virtuallyghetto.com/


19/21

Start the !Sphere -)I and browse to the "older which contains the

hostSer!ice0anagement&pl script +the script can be "ound here and e'ecute the "ollowing

command to get a o!er !iew o" the ser!ices;

hostSe'i(e7ana%ementl se'e' Mhostname oe'ation @,e'y

6o enable the 5emote 6ech Support +SSH ser!ice we need to use the 6S0


20/21

5un the $uery command and you will see that the ser!ice is started correctly, I recommend

you to read illiam*s blog postabout this because you can also do this on multiple ESXi

hosts, which can be !ery handy in large en!ironments&

4tion 6# Enable SSH within the &i(&sta't s('it

illiam )am also pointed me at a another way to turn on SSH during the installation, by

adding a command line to the kickstart script&

6his could be use"ul i" you want to con#gure or check some items on the host %ust be"ore you

take it in production, but remember disable it once it*s running production load&

You %ust need to add the "ollowing two lines to the kickstart script;

imB(m- hosts(/enableF'emoteFtsm +this will change the startup policy to 1start and stop with the host2, i" you

don*t add this line and the host will reboot you won*t ha!e SSH access anymore

imB(m- hosts(/sta'tF'emoteFtsm +this will start the ser!ice

7ne last note, I see an ESXi host more like an appliance, so I don*t want to ha!e

any unnecessary ports to be open on the host itsel", because each open port is a potential

security risk& 6hat*s why I recommend not to enable SSH on a production ESXi hosts, %ust "or

security reasons& In a lab en!ironment where security is not always a big issue you can

enable SSH to get $uick access to the host, or to check or test things out&

Personally I*m mo!ing more and more o!er to the !09 +!sphere 0anagement 9ssistant

which is a nice little appliance that*s capable o" doing e!erything that you could do on the

ESXi console and e!en more& 6he !09 is somewhat like a 1distributed2 ser!ice console +dS-

C 8istributed Ser!ice -onsole, I wonder when /0ware will use that term ;


21/21

ssh2 6 ways.docx

Documents