I’ve noticed many of the hits on my blog are related to ESXi. One of the most asked questions is how can I SSH to an ESXi hosts? Looking at my wordpress stats, this is also one of the top searches.
By default this isn’t possible. But there’s a way to get this working, just do the following:
- Go to the ESXi console and press alt+F1
- Type: unsupported
- Enter the root password(No prompt, typing is blindly)
- At the prompt type “vi /etc/inetd.conf”
- Look for the line that starts with “#ssh” (you can search with pressing “/”)
- Remove the “#” (press the “x” if the cursor is on the character)
- Save “/etc/inetd.conf” by typing “:wq!”
- Restart the management service “/sbin/services.sh restart”
Done!
I personally don’t like it when you can’t properly troubleshoot. I would like to see that SSH is enabled by default on 3i.
I did it as described but SSH still does not work for me. I use ESXi update 2.
Only after restart of whole system ssh works.
Hmmm , I will test this again Kalle. Thanks for the update.
You don’t need the restart esx3i for enabeling ssh.
Just do a kill -HUP `ps | grep inetd`
Thank you, thank you, thank you! I just need shell access! I like the “unsupported” thing also… very good to know.
One thing to note here is that there is no prompt when you press Alt-F1. You just type “unsupported” blindly.
I tried this and discovered that I did not have an /etc/ssh folder, nor would ssh start (I don’t believe it even existed in my install) I am reinstalling now, but am wondering if maybe in a recent patch to the downloadable ISO they removed capabilities for SSH
I have the current ESXI & yes you can enable SSH, I use it a lot! I haven’t mastered using SCP to copy images around yet.
Cary
Using scp is pretty easy, once you know where the files need to go. This is /vmfs/volumes/nnnnnn
replacing nnnnnn with the name you gave your storage volume in VMware ESXi. Then it’s just a case of:
scp filename.iso root@x.x.x.x:/vmfs/volumes/nnnnnn
replace x.x.x.x with ip address of system (make sure colon : between ip and path to file location.
In Windows, WinSCP is good enough and then you can just point and click to the location, or in Linux use gFTP client or another client with SCP/SSH functionality.
Nice using ssh , you can also doing ssh from esxi do ln -s /sbin/dropbearmulti /bin/ssh
so i have some dificult to use the pub key of the esxi i have genetarted it with :
/bin/dropbearkey -t rsa -f ~/.ssh/id\_rsa.db > ~/.ssh/authorized_keys ttaking the ssh-rsa key and puting it in side my other platforme .ssh/authorised_key and when i do scp from the esxi it need passwd but if i take my pub key from the other host generated with ssh-keygen an puting it in the esxi .ssh/authorised_keys i can do scp/ssh commande without pass from the other host , have some result to do ssh/scp without pass from esxi to do some batch commande .
regards
I did this with ESX Server 3i 3.5.0 and I can connect via SSH, but I get access denied trying to login as root.
There is no /etc/sshd directory to allow root ssh access. Any ideas on how to ssh in as root?
OK, using the IP address to ssh in allows me to login as root, no more access denied message.
Is it possible to connect without a password to ESXi (with ssh keys?). Can anyone tell me step by step how to put my sshkey to esxi? Thanks!
1. create your sshkey with the help of puttykeygen (Win) or ssh-keygen (Linux)
2. create “.ssh” directory
3. Place the keyfile on the host
4. cat keyfile >> authorized_keys ( you can also use vi and use c&p)
5. chmod 0600 on .ssh and authorized_keys
Regards
Joerg
I just found this site and it is nice to know that at one point, SSH was an option. I’m running ESX Server 3i, 3.5.0, 110271 on a Dell PE 2650. This machine is such a hassle to work with. When I try connecting (ssh -24 root@10.0.0.13), I am presented with:
ssh: connect to host 10.0.0.13 port 22: Connection refused
Anyway, I cannot get the SSH server to work for me. My goal was to look at and modify the firewall on this “box.” I’ve installed a pair of Windows 2000 servers into this box and they can see each other via CIFS but they cannot see other Win2k servers on the same segment , not on the ESXi server. They guest Win2k boxes can PING anywhere you like.
On the other side of the coin, the Win2k servers not on the ESXi server can see the “bound” WIN2k machines via CIFS. PING, as you might guess, is also an option.
This “screams” firewall issues to me and is so frustrating. Can anyone help?
David, ensure TOE for the Broadcom NICs on the Dell box are disabled\unlicensed. See if adding a supproted Intel NIC to the group\vswitch and removing the Broadcom NICs causes the issues to go away.
Shoddy Broadcom\Dell QA, drivers, etc. have made these systems needlessly difficult to work with. Kill all offloading (checksumming, TOS, etc) and RSS if you can and re-test function.
These Are WELL-KNOWN issues that particularly impact firewalling, but have been problematic with numerous networking applications. Go Intel and I’d bet your problems dissappear.
Worst case scenario is using non-Broadcom multi-port add-in NICs to get around Dell’s design flaws.
Hey, this is great BUT!!! I’m finding that ESXi FREE VERSION is READ ONLY! I successfully got SSH going on the ESXi installation at work in our test lab, but no deals at home. I need to rename vmdk files so I can use them for new vm’s and it’s not happening. I can’t even get vmkfstools to work at the command line in unsupported mode OR via the remote CLI… bumming bigtime (at home)
Nice work. Got ssh running on ESXi 3.5 on my dell r200 server. Before I had to download iso’s, then use the vmware infrastructure client 2.5 to install a OS for clients, but this take a lot of my time with 100KB upload from my dsl connection. Now I can just download the iso’s to the server storage on 1000mbit line and complete work in no time!
Regards,
Marnix
Sorry for double post, but i’d like to mention that it is wise to block (undo) SSH when you no longer need it. Enable root access for SSH is dangerous.
OK, I tried enabling it in inetd.conf and restarting services, but when I connect via PuTTY, I get “connection refused”. Am I missing someting?
(I’m also on a Dell R200)
I tried this, but it does not worked ๐
In ESXi 3.5 Update 3 typing “unsupported” on first console does nothing ๐
It looks like magic keyword is changed ๐ Is there any idea? How you research for magic keyword? Is it was compiled in something binary or wrote to some script in clear text? And where?
Pls, help, if possible, of course.
I tried this and it works. But on rebooting the esxi server the ssh settings that I uncommented in inetd.conf is not saved and is commented again. I had to go back to the console and change the setting again. Everytime server reboots this needs to be done again.
Is this the way it works or am I missing something ?
Cannot get it to work on ESX 3i v3.5.0 build 123629… (Update 3)
I have edited /etc/inetd.conf and removed the #ssh. Rebooted server…
Any ideas ?
๐ Jens
PAL,
Magic keyword is still “unsupported” (all lowercase).
i have vmware esx 3i version 3.5.0 and updated with latest patch so when i press alt+f1 key it shows starting open… but i could not find prompt where should i type unsupported……….so can you help me how should i work with this version sothat i can start SSH service.
I am having trouble with Esxi to Esxi ssh keys. I setup a linux box and dropped the public keys to both Esxi boxes and I can connect fine without a password. I am having trouble creating keys to allow the Esxi boxes to connect directly with each other without a password. Any ideas?
Excellent! This worked for me on ESXi 3.5.0 build 123629. Instead of restarting all the services, however, I just did a ps aux|grep inetd, got the PID and did a kill -HUP pid
services.sh command no longer works, do ps |grep inetd to get the PID, then kill -HUP (PID)
Worked as advertised. Instead of step 8, I rebooted my ESXi u4 server after editing /etc/inetd.conf.
From Windows XP use the excellent WinSCP program:
http://winscp.net/eng/download.php
sweet!
After pressing Atl+F1, and understanding that I’m typing blindly, shouldn’t SOMETHING happen?
Zip. Nada. Nope. Nothing!
press alt-f1
type ‘unsupported’
press enter
type root’s password
press enter
continue…
If you still get an error when you try to connect after this, you should know that you can’t connect in file transfert mode after this, only in command line mode. That happened to me with the client “SSH client”
Recent VMWare ESXi 3.5 updates will encounter issues following reboots with SSH. The problem is that these later updates will attempt to return the VMWare Hypervisor back to a ‘factory default’ state on reboot. To get around this, there is a file stored in /vmfs/volumes/Hypervisor1 folder that is called oem.tgz. Its a TAR GZIP’d file that will contain any files and/or folders that you want replaced into the system after a reboot. This means that even if you modify /etc/inetd.conf to enable SSH, and reboot there is a big chance depending on what version of VMWare ESXi you have installed that it will return it back to the factory default state all the time. However if you place the modified version of this file in that archive, it will do some ‘post processing’ after a reboot, and apply whatever is in the oem.tgz file back to the file system as the last stage of the reboot. This gets around losing SSH on restarts. If you are using SSH keys you will also need to place them in the same file in order for them to be re-applied on restart.
If you want to know more about this, do a Google search for VMWare ESXi oem.tgz to find out how to construct such a file and its behavior.
How can you restrict dropbearmulti to listening only on the management port? Or is this implied anyway, since you’re doing this from within ESXi.
I am on ESXi 4.0 and was able to enable SSH also connected via WinSCP, it was smooth thanks to this post.
Question: I can backup my virtual machines from the server now. But has anyone tires the backup earlier and tried to restore the same. How does that work?
1. Go to the ESXi console and press alt+F1
2. Type: unsupported
3. Enter the root password(No prompt, typing is blindly)
4. At the prompt type “vi /etc/inetd.conf”
5. Look for the line that starts with โ#sshโ (you can search with pressing โ/โ)
6. Remove the โ#โ (press the โxโ if the cursor is on the character)
7. Save โ/etc/inetd.confโ by typing โ:wq!โ
8. Restart the management service โ/sbin/services.sh restartโ
10 – Kill inetd : kill `ps | grep inetd | cut -f2 -d” “‘
11 – Start inetd: inetd
If whe you unsupported nothing happens fallow this:
1 – Open the VI client, click onto the ESXi server you want to manage and go to Configuration TAB;
2 – Advanced Settings
3 – Uncheck the VMkernel.boot.techSupportMode
4 – Reboot the ESXi Server. Before restarting the host, you should shut down virtual machines on that.
Source: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003677
I need to run my linux application from the unsupported console. But how to copy my application into the ESXi 4.0 drop box and run it in the unsupported console.
thanks a lot, that worked like a charm..
When I perform this modification and then reboot, ESXi does not start back up. It just comes to a screen with a blinking cursor and I am unable to access anything through the VMWare Infrastructure Client or through the physical machine. Has anyone had this happen and how can I fix it? Thanks.
how can i add a RSA ID in .ssh ?
every time i restart the ESXi the .ssh is removed ….
(it is NOT a embedded system) the ESXi is normal installet on a Raid Array)
i need to have a automatic RSA login to the ESXi …
plz help ๐
Hello,
can I connect to the ESXi Console (the grey/yellow one) via ssh? I want to customize the System with .
Many thanks, Max
Hello,
can I connect to the ESXi Console (the grey/yellow one) via ssh? I want to customize the System with F2.
Many thanks, Max
Black:
Add to /etc/rc.local ->
mkdir /.ssh
cp /vmfs/volumes/[somedatastore1]/authorized_keys /.ssh/
chmod -R 600 /.ssh
You will need to add the public key from the host you need to connect from to the file /vmfs/volumes/[somedatastore1]/authorized_keys
This file will reside on a datastore, the root homedir resides on ramdisk, so you need to copy it over every time you reboot.
Good luck
Just for the record… With ESXi 4.1, enabling ssh is really simple, just go:
HOST > Configuration > Security profile, properties > Remote tech support (ssh) > Options, “start”.
Works instantly.
“One of the most asked questions is how can I SSH to an ESXi hosts? Looking at my wordpress stats, this is also one of the top searches.”
Where else can I read about it?
i made all the steps above and i’m able to shh access my esxi server but i need to know root password to become su….is there a way to set up sudoers files? In this way i could keep root password safe&secret.
Hi,
We have an ESXi 4.1 server which we have recently lost the ability to SSH into. This happened after attempting to use keys for authentication.
The only error we get in /var/log/messages is:
dropbear[######]: premature exit: bad buf_getptr
We have checked inetd.conf to make sure SSH is enabled and root login was not disabled. We also created another user and are still not able to SSH into the server.
trying ssh -vvvv we get the following error on the machine trying to connect:
[root@linux_host:~]# ssh -vvvv testesxi1
OpenSSH_5.6p1, OpenSSL 1.0.0j-fips 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to testesxi1 [xxx.yyy.zzz.aaa] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type ‘—–BEGIN’
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type ‘—–END’
debug3: key_read: missing keytype
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
ssh_exchange_identification: Connection closed by remote host
[root@linux_host:~]#
I’ve posted on the vmware communities and have not had any luck thus far.
Anyone know what is going on?
Regards,
Vlad
This really helped me – but I got thrown a curve ball by not being so familiar with ESXi console and Rodrigo Miguel’s comment about “unchecking” the VMkernel.boot.techSupportMode option.
So to save others time (who, like me, read the whole thread before trying this out) the VMkernel.boot.techSupportMode option MUST be checked! Do not uncheck this. If it is not checked, then check it (and reboot). Follow Rodrigo Miguel’s excellent instructions as to where to find it.
The other thing to point out is the “user experience”. I read a lot about “typing blindly” here, which was misleading. If your screen background stays black with grey text / lines while you;re typing, your console is still in some kind of “standby” state, and your key presses are being ignored! Instead, first press ESC or space (can’t recall now which), so that your ESXi console screen changes to a yellow and grey background color. Its now out of standby mode. Now you can press Alt-F1.
When I pressed Alt-F1 on my ESXi 3.5 system the screen immediately changed to a login prompt. I did not have to type blindly, I could see the prompt, and my key presses coming up on the screen. Not only that, but there’s a banner in salmon-pink writing saying “Tech Support Mode”. After entering the username and hitting return, I then got prompted for the password. All was pretty normal linux experience.
After this the kill -HUP did the trick for me, no restarts needed, and the system is still running smoothly. (relief!)
Thanks to everyone here for taking the time to record their tips and experiences. Great thread!
Not having run vi before, when I run vi /etc/inetd.conf all I get is a bunch of lines with ‘~’ as the first character. I’m thinking maybe the good stuff rolled off the screen but I don’t know how to scroll back to find it.
Thanks for any help,
Doug