Kyle Gleed, Sr. Technical Marketing Architect, VMware
I recently spent some time in my lab applying all the security recommendations outlined in the 5.0 Hardening Guide and while doing this I was very surprised to discover that the ESXiShellTimeOut setting doesn’t work as expected.
To quote from the vSphere 5.0 Security Guide:
“The [ESXiShellTimeOut] setting is the number of minutes that can elapse before you must log in after the ESXi Shell is enabled. After the timeout period, if you have not logged in, the shell is disabled. If you are logged in when the timeout period elapses, your session will persist. However, the ESXi Shell will be disabled, preventing other users from logging in.”
So in theory, if I set ESXiShellTimeout = 1 then one minute after I start the ESXi Shell service it should automatically get stopped (disabled). However, I set the ESXiShellTimout = 1, start the “ESXi Shell” service from the vSphere client, and nothing. The ESXi Shell stays running indefinitely.
Digging into this what I found is when I start/restart the ESXi Shell using the vSphere client it seems to ignore the ESXiShellTimeout and the service stays running indefinately. However, when I start/restart the ESXi Shell from the shell command line (/etc/init.d/ESXShell restart) it does honor the ESXiShellTimeout and the service does get stopped (disabled) after one minute.
I’ve filed a bug on this so hopefully it will get fixed soon. In the meantime if you rely on the ESXiShellTimeOut to automatically stop the ESXi Shell service for you, the best I can suggest is anytime you enable the ESXi Shell, take an extra step to login and do a quick restart from the command line to make sure the ESXiShellTimeOut will go into affect.
BTW, the ESXiShellTimeOut works the same way for the SSH service (to start SSH from the command line run /etc/init.d/SSH restart) with one notable exception. With the ESXi Shell, stopping the service does not affect existing sessions, it only prevents new sessions. With SSH however, when it stops the service it also disables the firewall rule causing any existing SSH session to hang and eventually timeout.
Get notified on future posts by following me on twitter @VMwareESXi