WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Quick Tip - SSH Server, Client & Authorized Key Configurations for ESXi 8.0 Update 2 and later

Quick Tip - SSH Server, Client & Authorized Key Configurations for ESXi 8.0 Update 2 and later

10.14.2024 by William Lam // 4 Comments

The general best practice is to disable SSH on your ESXi host by default and if/when you need access, you can turn it on temporarily and disable it when you have completed your task.

For users that need to modify the default SSH configurations whether that is on the server side, client side or setting up SSH authorized keys, this was historically accomplished by manipulating the various SSH configuration files and then reloading the service, if applicable.

With the introduction of the ESXi Configuration Store in vSphere 7.0 Update 1, the process is now different with ESXi 8.0 Update 2 and later for services that requires a configuration file to run such as SSH, NTP or SNMP to name a few.

Unlike most ESXi configurations which can be modified by using the configstorecli, for some of the ESXi services that requires a configuration file, validation of the configuration has been built into ESXCLI and once validated, it will then be written to the ESXi Configuration Store.

Recently, I had some users ping me about automating various SSH configurations for ESXi, so here is a quick summary below for ESXi 8.0 Update 2 and later:

A new "ssh" namespace has been added under system which provides users the ability to manage all ESXi SSH configurations including retrieving the version of the SSH Server.

esxcli system ssh

SSH Server Configuration

You can view all configurable SSH Server configuration by running the following command:

esxcli system ssh server config list


To modify a specific SSH Server configuration, specify the key and the desired value, such as the example below:

esxcli system ssh server config set -k allowtcpforwarding -v yes

You can certainly use the ESXCLI "list" command to confirm your change, but if you wanted to see a quick "diff" of the configuration changes from the system defaults, we can use configstorecli with the following command:

configstorecli config current get -c esx -g system -k ssh_server

SSH Client Configuration

Similarly, we can list, modify and retrieve SSH Client Configuration with the following commands:

esxcli system ssh client config list
esxcli system ssh server config set
configstorecli config current get -c esx -g system -k ssh_client

SSH Authorized Keys Configuration

Lastly, for managing SSH authorized keys, the following commands can be used:

esxcli system ssh key list
esxcli system ssh key add -u root -k "ssh-rsa ...."

configstorecli config current get -c esx -g system -k ssh_auth_keys

More from my site

  • Recovering ESXi 7.x & 8.x host after forgetting or losing root password
  • Quick Tip - How to Change ESXi SSH Prompt
  • ESXi Google Authenticator Is Now A VMware Fling!
  • How To Compile Google Authenticator for ESXi
  • Using Google Authenticator To Provide Two-Factor Authentication For ESXi

Categories // Automation, ESXi Tags // configstorecli, ESXi, ssh, ssh keys

Comments

  1. *protectedXana says

    10/15/2024 at 2:40 am

    It so happens that've been working on automating this task in our environment. Two thing to mention:
    1. esxcli system ssh - Is not implemented on ESXi 7.0.3
    2. keys of type ed25519 wont be supported. This is not yet approved for FIPS compliance. You will need to disable FIPS for ssh
    (esxcli system ssh server config set -k fipsmode -v no)

    Reply
    • William Lam says

      10/15/2024 at 10:45 am

      Thank you for sharing. I was able to confirm after further testing that the "esxcli system ssh" namespace was introduce with ESXi 8.0 Update 2 and later, so it wouldn't apply to any ESXi 7.x releases (I've updated the article title/content)

      Reply
  2. *protectedSurzn says

    10/31/2024 at 1:49 am

    Thanks a lot William, I had been searching how to modify ssh server cfg for quite a while. Do we need to save the change manually, or it will become permanent once changed and survive reboot?

    Reply
    • William Lam says

      10/31/2024 at 3:13 am

      No need to do anything manual, follow steps outline and settings will persist on reboot

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...