• vCenter Server is configured with an Active Directory over LDAP identity source.
• Users from the Active Directory domain can log into the vCenter Server Appliance via SSH without being granted explicit access in the vSphere Client.
• When logged in, the users enter the appliance shell with a restricted command set.

This is expected behavior by design. When an identity source is configured, authenticated users can open an SSH session to the appliance. However, by default, they are restricted to the Appliance Shell and have no access to the Bash shell or vCenter Server administrative functions.

Info: Understand that this behavior is expected by design and does not pose a security risk, because the default Appliance Shell restricts users from executing administrative commands.

• Limit the scope of the Identity Source to only the users/groups Organizational Unit (OU) that need access to the vCenter.
• Disable SSH access globally for the vCenter Server Appliance if SSH is not actively required, because you cannot disable SSH access for specific Active Directory users.
• Prevent unauthorized access to the underlying operating system by ensuring users are not members of the SystemConfiguration.BashShellAdministrators group.
• Assign appropriate roles to the user in the vSphere Client under Administration > Global Permissions to grant access to the vCenter Server UI.
• Add the user to the SystemConfiguration.BashShellAdministrators group under Administration > Single Sign-On > Users and Groups to grant full Bash shell access.

Enabling shell access for Active Directory users via SSH to vCenter Server Appliance (VCSA)