How to securely enable SSH on ESXi hosts

How to securely enable SSH on ESXi hosts

SSH access is a standard way of managing servers in the UNIX and Linux world. VMware’s ESXi hypervisor has this feature built in but disabled by default. This article covers the process of securing the SSH access to only allow connection from your management network and configuring the ESXi SSH service to start whenever your ESXi server is started.

The procedure is valid for ESXi version 6 and 7 hosts including the ESXi Free hypervisor.

Get started

Open your ESXi host client by typing its IP address or hostname in your web browser. Log in as root or another user with administrative privileges.

Firewall settings

This step is not mandatory but highly recommended. It’s generally a good practice to only allow SSH access from trusted hosts or networks. If you plan to use VMcom Backup Appliance to backup an ESXi Free hypervisor host, make sure to include VMcom’s IP address in the list of trusted hosts.

Navigate to Networking -> Firewall and locate the default SSH Server rule. Click edit settings and change the policy to only allow connections from selected networks. Enter the list of trusted hosts or networks and click OK.

SSH service settings

Still in the ESXi host client, navigate to Host -> Manage -> Services and locate the TSM-SSH service. We are going to automatically start the service when ESXi boots. Click Actions -> Policy and select Start and stop with host.


Congratulations! You have successfully enabled the SSH service for access from selected IP addresses or networks.