Use 2FA or MFA for SSH/CLI connections to ESX or vCenter
search cancel

Use 2FA or MFA for SSH/CLI connections to ESX or vCenter

book

Article ID: 432844

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Attempting to setup Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) in order to connect to the vCenter Server Appliance (VCSA) or ESXi via SSH/CLI interface.

Environment

VMware vCenter Server

VMware ESXi Server

Cause

  • Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is Not Supported for ESXi or vCenter SSH/CLI in the event you are trying to apply additional measures of security to prevent unexpected connections to vCenter or ESXi via SSH/CLI.

Resolution

"VMware does not support configuring Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for the vCenter Server Appliance (VCSA) SSH interface.


The VCSA is a pre-packaged appliance running on Photon OS. Modifying the underlying Pluggable Authentication Modules (PAM) or the SSH daemon configuration (sshd_config) to integrate third-party 2FA solutions is strictly unsupported.

Unauthorized modifications to the appliance operating system can result in upgrade failures, service disruptions, and a loss of supportability.

Additional Information

2FA and MFA are fully supported for the vSphere Client (UI) and vSphere APIs through Identity Provider Federation (e.g., ADFS, Entra ID, Okta) or Smart Card authentication. The SSH interface is designed strictly as a break-glass administrative interface rather than a primary access method.
Supported Methods for Securing VCSA SSH:

  • Service State Management: Keep the SSH service disabled by default. Enable it via the vCenter Server Appliance Management Interface (VAMI) on port 5480 or the vSphere Client only when active troubleshooting requires it.
  • Network Segmentation: Restrict access to VCSA TCP port 22 using external firewalls, NSX Distributed Firewall, or dedicated management network isolation. Only permit connections from dedicated jump hosts or administrative IP ranges.
  • Key-Based Authentication: Utilize public/private SSH key pairs for authentication to mitigate password-based vulnerabilities.

Note: Do not attempt to install third-party PAM modules or alter OS-level authentication mechanisms on the appliance.

 

If you want to utilize Key-Based Authentication for ESXi or vCenter follow the reference articles below.

Allowing SSH access to VMware vSphere ESXi/ESX hosts with public/private key authentication

Enable SSH key-based authentication on vSphere ESXi version 8.0.2 and later

Allowing SSH access to VMware vCenter Severs with public/private key authentication

Powered by Wolken Software