VMware vSphere

 View Only

  • 1.  technical advice required on ESXiShellInteractiveTimeOut security setting

    Posted Sep 12, 2017 04:34 AM

    Hi Team,

    need technical and expertice advice here.

    I saw there is  new security feature recommended since Vmware vpshere 5.5 which is the

    possiblity to "create Timeout for Idle ESXi Shell Sessions "

    by go to  UserVars.ESXiShellInteractiveTimeOut field, enter the availability timeout setting.

    this helps increase the security where if user login the ESXi Shell on a host via putty, but forgets to log out of the session,

    the idle session remains connected continuously.

    The open connection can increase the potential for unauthorized access.

    but my engineering team has rejected my idea on this . reason they given is that

    sometimes admnistrator use SSH (using putty)sessions to copy data (VMs, memory dumps) and etc.

    it said during this activity there is no key-strokes are being sent to session

    andd therefore the session will be terminated. it caused the process running behind got interrupted and stopped

    Is that true that background process running behind such as copy data will be terminated

    due to the exit of the putty/esxi shell session after the timed out session ? I thought it is indepedent?

    hope to get expertise explaination and confirmation on this area.

    your help is much appreciated.

    https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-A1D310D7-F00B-4827-9469-EC2C318A0C30.html



  • 2.  RE: technical advice required on ESXiShellInteractiveTimeOut security setting

    Posted Sep 18, 2017 08:26 PM

    After talking to some of the team here, the SSH timeout at this time will close sessions at the the set time regardless of activity.



  • 3.  RE: technical advice required on ESXiShellInteractiveTimeOut security setting

    Posted Sep 19, 2017 03:56 AM

    Your background process such as copying data and other processes will not be terminated. only the user logon session will be disconnected



  • 4.  RE: technical advice required on ESXiShellInteractiveTimeOut security setting

    Posted Sep 19, 2017 07:14 AM

    The ESXi Shell timeout setting specifies how long you can leave an unused session open. By default, the timeout for the ESXi Shell is 0, which means the session remains open even if it is unused. If you change the timeout, for example, to 30 minutes, you have to log in again after the timeout period has elapsed.

    The unit of measurement for the timeout is seconds in the ESXi Shell and minutes in the vSphere Client.

    Note If you are logged in when the timeout period elapses, your session will persist. However, the ESXi Shell will be disabled, preventing other users from logging in.