Block 1 Lab 3 — ESXi Shell & SSH: Enabling & Using the CLI

#	Objective
1	Enable ESXi Shell and SSH from the Host Client using `vim-cmd hostsvc` commands
2	Verify service status with `esxcli system maintenanceMode` and service commands
3	Navigate the ESXi filesystem — explore `/etc`, `/vmfs/volumes`, and `/var/log`
4	Inspect key configuration files — `passwd`, `hosts`, `vmware/config`
5	Set the ESXi Shell interactive timeout and SSH login banner
6	Open Security View — understand the attack surface each enabled service creates
7	Knowledge check — Shell, SSH, and ESXi security concepts

Objective

Enable ESXi Shell and SSH from the Host Client using vim-cmd hostsvc commands

Verify service status with esxcli system maintenanceMode and service commands

Navigate the ESXi filesystem — explore /etc, /vmfs/volumes, and /var/log

Inspect key configuration files — passwd, hosts, vmware/config

Set the ESXi Shell interactive timeout and SSH login banner

Open Security View — understand the attack surface each enabled service creates

Knowledge check — Shell, SSH, and ESXi security concepts

Concept	What it means
ESXi Shell	Interactive POSIX-like shell on the host console or via DCUI. Disabled by default. Runs as root with full VMkernel access.
SSH	Remote shell access over port 22. Disabled by default. Allows the same root shell access over the network.
vim-cmd	VMware's internal management command. Used to control host services, manage VMs, and interact with the VMkernel API without needing vCenter.
/vmfs/volumes	The VMFS filesystem mount point. Each datastore appears here as a directory — this is where all VM files live.
Shell timeout	ESXi Shell and SSH can be configured to auto-close after a period of inactivity. A best practice in production.

Concept

What it means

ESXi Shell

Interactive POSIX-like shell on the host console or via DCUI. Disabled by default. Runs as root with full VMkernel access.

SSH

Remote shell access over port 22. Disabled by default. Allows the same root shell access over the network.

vim-cmd

VMware's internal management command. Used to control host services, manage VMs, and interact with the VMkernel API without needing vCenter.

/vmfs/volumes

The VMFS filesystem mount point. Each datastore appears here as a directory — this is where all VM files live.

Shell timeout

ESXi Shell and SSH can be configured to auto-close after a period of inactivity. A best practice in production.

Command	Purpose
vim-cmd hostsvc/enable_ssh	Enable the SSH service
vim-cmd hostsvc/start_ssh	Start the SSH service immediately
vim-cmd hostsvc/enable_esx_shell	Enable the ESXi Shell service
vim-cmd hostsvc/start_esx_shell	Start the ESXi Shell service
vim-cmd hostsvc/disable_ssh	Disable the SSH service
vim-cmd hostsvc/stop_ssh	Stop the SSH service immediately
esxcli system settings advanced list -o /UserVars/ESXiShellTimeOut	View shell timeout setting
esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i 600	Set shell timeout to 600 seconds
esxcli system settings advanced set -o /UserVars/SSHBanner -s "Authorised use only"	Set SSH login banner
cat /etc/passwd	View local user accounts
cat /etc/hosts	View local DNS entries
ls /vmfs/volumes	List datastores
ls /var/log	List log files

Command

Purpose

vim-cmd hostsvc/enable_ssh

Enable the SSH service

vim-cmd hostsvc/start_ssh

Start the SSH service immediately

vim-cmd hostsvc/enable_esx_shell

Enable the ESXi Shell service

vim-cmd hostsvc/start_esx_shell

Start the ESXi Shell service

vim-cmd hostsvc/disable_ssh

Disable the SSH service

vim-cmd hostsvc/stop_ssh

Stop the SSH service immediately

esxcli system settings advanced list -o /UserVars/ESXiShellTimeOut

View shell timeout setting

esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i 600

Set shell timeout to 600 seconds

esxcli system settings advanced set -o /UserVars/SSHBanner -s "Authorised use only"

Set SSH login banner

cat /etc/passwd

View local user accounts

cat /etc/hosts

View local DNS entries

ls /vmfs/volumes

List datastores

ls /var/log

List log files

🖥 esxi-01.lab.local — Services

💻 ESXi Shell DISABLED

Not running · console only

🔐 SSH DISABLED

Not listening · port 22 closed

🌐 hostd (HTTPS) RUNNING

Host Client · port 443

📡 vpxa (vCenter) RUNNING

vCenter agent · connected

ESXi8.0 U3

Shelldisabled

SSHdisabled

Timeoutnot set

Filesystem Explored

📁/

📁/etc

📁/vmfs/volumes

📁/var/log

—

[root@esxi-01:~]

📋 Tasks & Guide

Lab Information

🔒 Security View — Shell & SSH Attack Surface

—