5.4 Ensure SSH is disabled

Information

The ESXi shell, when enabled, can be accessed directly from the host console
through the DCUI or remotely using SSH. Disable Secure Shell (SSH) for each ESXi host to prevent
remote access to the ESXi shell, and only enable SSH when needed for troubleshooting or diagnostics.

*Rationale*

Remote access to the host should be limited to the vSphere Client, remote command-line tools (vCLI/PowerCLI),
and through the published APIs. Under normal circumstances, remote access to the host using SSH should be disabled.

Solution

To verify SSH is disabled, perform the following:

1. From the vSphere web client, select the host.
2. Select "Configure" -> "System" -> "Security Profile".
3. Scroll down to "Services".
4. Click "Edit...".
5. Select "SSH".
6. Verify the Startup Policy is set to "Start and Stop Manually".

Alternately, the following PowerCLI command may be used:

# Check if SSH is running and set to start
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-SSH" } | Select VMHost, Key, Label, Policy, Running, Required

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: VMware

Control ID: 3e4f3a96ca9ca58231b61726dd22bc2fddc060f958dd48dbaf9996f87c25edc2