Security auditors will consider ssh access a vulnerability. This can be mitigated by setting timeout values and linking the starting of the service to a vCenter user
When a ssh session is needed the service will have to be started from the vCenter or DCUI. (In the case of DCUI access, either physical controls to the data centre or remote system board will be the origin of the audit trail.)
There are two variables to set UserVars.ESXiShellTimeOut and UserVars.ESXiShellInteractiveTimeOut
These can be seen in vCenter Inventory -> host -> Configuration tab -> Software -> Advanced Settings.
In the left panel, select UserVars
Values are in seconds, ie: 900 = 15 mins
Configure UserVars.ESXiShellTimeOut
This is the amount of time that can elapse before you must log in after the ssh is enabled. After the timeout period, the service is disabled and users are not allowed to log in, open sessions will persist, however after the user logs out or session is terminated, users are not allowed to log in as the ssh service has stopped.
Configure the setting for all esxi servers in a cluster through the following PowerCLI command
Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 1800
Validate
Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellTimeOut | ft -autosize
UserVars.ESXiShellInteractiveTimeOut
The idle timeout is the amount of time that can elapse before the user is logged out of an idle interactive Sessions
Configure the setting for all esxi servers in a cluster through the following PowerCLI command
Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 1800
Validate
Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellInteractiveTimeOut | ft -autosize
How easy is that… imagine doing it by hand… save yourself a lot of clicking