Unable to enable SSH using API in vCenter Server 8.x

Products

VMware vCenter Server

Issue/Introduction

In VMware vCenter Server 8.x, API calls to enable SSH access that previously succeeded in vCenter Server 7.x now return authentication errors (401 Unauthorized or 403 Forbidden).

Environment

VMware vCenter Server Appliance (VCSA) 8.0.x

Cause

Between vCenter Server 7.x and 8.x, the required privilege to enable SSH programmatically was changed:

vCenter 7.x: SSH enablement API required the ModifyConfiguration privilege.
vCenter 8.x: SSH enablement API now requires the ModifyLocalConf privilege, which is granted only to users in the SystemConfiguration.BashShellAdministrators group.

Because the default root or [email protected] user is not automatically a member of this group in 8.x, API calls are denied unless the invoking user has been granted the new privilege.

Resolution

Add Your User to BashShellAdministrators
1. Log in to the vSphere Client as a user with SSO administrative privileges (e.g., [email protected]).
2. Navigate to Administration > Single Sign On > Users and Groups.
3. Select the SystemConfiguration.BashShellAdministrators group under the Builtin domain.
4. Click Add Member and include the user or group that runs your automation (for example, root or [email protected]).
Verify Membership
- Confirm the user appears in the BashShellAdministrators group membership list.

Retry SSH Enablement API Call

Use one of the following examples (update <vcsa>, <user>, <token> accordingly):

PowerShell / curl (vAPI)

# Authenticate and get vAPI session
$session = Invoke-RestMethod -Method Post -Uri https://<vcsa>/api/session -UserName '<user>' -Password '<pass>' -ErrorAction Stop
$token = $session.value

# Enable SSH
Invoke-RestMethod -Method Put `
  -Uri https://<vcsa>/api/appliance/access/ssh `
  -Headers @{ "vmware-api-session-id" = $token } `
  -Body @{ enabled = $true } `
  -ErrorAction Stop

curl (REST)

# Create session
curl -s -k -X POST -u '<user>:<pass>' https://<vcsa>/rest/com/vmware/cis/session | jq -r .value > /tmp/session_id

# Enable SSH
curl -k -X PUT -H "vmware-api-session-id: $(cat /tmp/session_id)" \
  -H "Content-Type: application/json" \
  -d '{"enabled":true}' \
  https://<vcsa>/rest/appliance/access/ssh

Confirm SSH Status

Verify SSH is active by querying:

curl -k -X GET -H "vmware-api-session-id: $(cat /tmp/session_id)" \
  https://<vcsa>/rest/appliance/access/ssh | jq .enabled

Additional Information

This change is not yet documented in the publicly available vSphere 8.x release notes.
Automation frameworks (e.g., Ansible vmware_vapi_rest modules) must be updated to use an account in BashShellAdministrators.
For more details on the Appliance API, refer to the vSphere Automation API documentation: https://developer.broadcom.com/xapis/vsphere-automation-api/8.0.3/appliance/api/appliance/access/ssh/put/