Enable SSH on ESXi Hosts in VCF
Article ID: 312060
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Starting from VCF 4.4, the SSH is disabled on all the ESXi hosts to reduce the security risk. However, if there is an external SSH dependency on ESXi hosts, the following steps can enable SSH on ESXi hosts.
Symptoms:
ssh: connect to host 10.0.0.100 port 22: Connection refused
Environment
VMware Cloud Foundation 4.x
VMware Cloud Foundation 4.4
VMware Cloud Foundation 4.4
Cause
The SSH is disabled on ESXi hosts during different workflows like bring up, host commission, adding a host to a cluster, creating a cluster, creating VI domain, upgrade etc.
Resolution
If the SSH needs to be enabled for all the hosts for all the domains, then run the below command in the SDDC Manager as root:
To enable SSH for all the hosts for a specific domain (e.g. domain1):
To enable SSH for a specific host:
Workaround:
For Bringup, login as root user in the cloud builder VM and replace:
For any other workflows, login as vcf user in the SDDC Manager VM and create or update the file named /home/vcf/feature.properties containing "feature.vcf.esxi.ssh.disable=false" E.g.:
Then login to SDDC manager as root user and restart all the services:
/opt/vmware/sddc-support/sos --enable-ssh-esxi --domain-name ALL
To enable SSH for all the hosts for a specific domain (e.g. domain1):
/opt/vmware/sddc-support/sos --enable-ssh-esxi --domain-name domain1
To enable SSH for a specific host:
- In a web browser, log in to the ESXi host using the VMware Host Client.
- In the navigation pane, click Manage and click the Services tab.
- Select the TSM-SSH service and click Start.
Workaround:
For Bringup, login as root user in the cloud builder VM and replace:
feature.vcf.esxi.ssh.disable=true
by
feature.vcf.esxi.ssh.disable=false
in /opt/vmware/bringup/webapps/bringup-app/conf/feature.properties and restart bringup service:
systemctl restart vcf-bringup.service
by
feature.vcf.esxi.ssh.disable=false
in /opt/vmware/bringup/webapps/bringup-app/conf/feature.properties and restart bringup service:
systemctl restart vcf-bringup.service
For any other workflows, login as vcf user in the SDDC Manager VM and create or update the file named /home/vcf/feature.properties containing "feature.vcf.esxi.ssh.disable=false" E.g.:
echo 'feature.vcf.esxi.ssh.disable=false' >> /home/vcf/feature.properties
chmod a+r /home/vcf/feature.properties
chmod a+r /home/vcf/feature.properties
Then login to SDDC manager as root user and restart all the services:
/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
Note:
1. The above workaround doesn't work on the commissioned hosts on VCF 4.4.x.
2. The SSH needs to be manually turned on for the LCM Prechecks if the feature flag is turned off on VCF 4.4.x.
1. The above workaround doesn't work on the commissioned hosts on VCF 4.4.x.
2. The SSH needs to be manually turned on for the LCM Prechecks if the feature flag is turned off on VCF 4.4.x.
Feedback
Yes
No
Powered by
