I last blogged about how vSphere 5.1 removes the dependency on a shared root account by allowing you to assign full admin rights to non-root users (aka named users). Today I want to talk about another nice security feature that has been added in vSphere 5.1, and that is the ability to automatically terminate idle ESXi Shell connections.
The new ESXiShellInteractiveTimeOut compliments the existing ESXiShellTimeOut that has existed in ESXi for a while. As the names are very similar it’s easy to get confused between the two so I’ll go over both these settings.
VMware recommends vSphere administrators limit the use of the ESXi Shell. By default the ESXi Shell and SSH services are turned off, and if either service is ever started it is recommended that it be stopped when access to the ESXi Shell is no longer needed. However, vSphere admins are very busy and it’s common that once these services are started on a host they are soon forgotten and left running. To help avoid situations where the ESXi Shell and SSH services are inadvertently left running for long periods of time VMware provides the “ESXiShellTimeOut”. The ESXiShellTimeOut defines a window of time (measured in minutes) during which the services, once started, will remain running. When the timeout is reached the services automatically get stopped. This way anytime an administrator starts the ESXi Shell or SSH services they don’t have to worry about remembering to stop them.
It’s important to understand that the ESXiShellTimeOut only affects the window of time during which the ESXi Shell and SSH services are allowed to run. Any shell sessions that are established while the services are running are not impacted by the timeout. This means if you logon to the ESXi Shell (DCUI or SSH) your session will stay connected indefinitely even though the ESXi Shell and SSH services may get stopped. This is where the new “ESXiShellInteractiveTimeOut” comes in.
Having idle shell sessions left unattended presents a significant security risk. To prevent this from happening the ESXiShellInteractiveTimeOut has been added in vSphere 5.1. This setting defines a window of time that a shell session can remain inactive before being terminated. With this setting if you ever logon to the ESXi Shell and get side tracked leaving your session sitting idle, the ESXiShellInteractiveTimeOut will kick in and the idle session will automatically be terminated.
So in summary, the ESXiShellTimeOut is used to limit the window during which the shell and SSH services are allowed to run and users are able to connect to the ESXi shell. Once a shell session has been initiated the ESXiShellInteractiveTimeOut is used to automatically terminate idle shell sessions that get left unattended.