The general best practice is to disable SSH on your ESXi host by default and if/when you need access, you can turn it on temporarily and disable it when you have completed your task.
For users that need to modify the default SSH configurations whether that is on the server side, client side or setting up SSH authorized keys, this was historically accomplished by manipulating the various SSH configuration files and then reloading the service, if applicable.
With the introduction of the ESXi Configuration Store in vSphere 7.0 Update 1, the process is now different with ESXi 8.0 Update 2 and later for services that requires a configuration file to run such as SSH, NTP or SNMP to name a few.
Unlike most ESXi configurations which can be modified by using the configstorecli, for some of the ESXi services that requires a configuration file, validation of the configuration has been built into ESXCLI and once validated, it will then be written to the ESXi Configuration Store.
Recently, I had some users ping me about automating various SSH configurations for ESXi, so here is a quick summary below for ESXi 8.0 Update 2 and later:
A new "ssh" namespace has been added under system which provides users the ability to manage all ESXi SSH configurations including retrieving the version of the SSH Server.
esxcli system ssh
SSH Server Configuration
You can view all configurable SSH Server configuration by running the following command:
esxcli system ssh server config list
To modify a specific SSH Server configuration, specify the key and the desired value, such as the example below:
esxcli system ssh server config set -k allowtcpforwarding -v yes
You can certainly use the ESXCLI "list" command to confirm your change, but if you wanted to see a quick "diff" of the configuration changes from the system defaults, we can use configstorecli with the following command:
configstorecli config current get -c esx -g system -k ssh_server
SSH Client Configuration
Similarly, we can list, modify and retrieve SSH Client Configuration with the following commands:
esxcli system ssh client config list
esxcli system ssh server config set
configstorecli config current get -c esx -g system -k ssh_client
SSH Authorized Keys Configuration
Lastly, for managing SSH authorized keys, the following commands can be used:
esxcli system ssh key list
esxcli system ssh key add -u root -k "ssh-rsa ...."
configstorecli config current get -c esx -g system -k ssh_auth_keys
It so happens that've been working on automating this task in our environment. Two thing to mention:
1. esxcli system ssh - Is not implemented on ESXi 7.0.3
2. keys of type ed25519 wont be supported. This is not yet approved for FIPS compliance. You will need to disable FIPS for ssh
(esxcli system ssh server config set -k fipsmode -v no)
Thank you for sharing. I was able to confirm after further testing that the "esxcli system ssh" namespace was introduce with ESXi 8.0 Update 2 and later, so it wouldn't apply to any ESXi 7.x releases (I've updated the article title/content)
Thanks a lot William, I had been searching how to modify ssh server cfg for quite a while. Do we need to save the change manually, or it will become permanent once changed and survive reboot?
No need to do anything manual, follow steps outline and settings will persist on reboot