A Bug with Disabling SSH Service Port in vSphere 5.1

While playing vSphere API last week, I got into an issue that I cannot disable the SSH server with Firewall APIs (see HostFirewallSystem). The following call would throw an exception:

hfs.disableRuleset(“sshServer”);

Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.

There are many other different services like “sshClient” whose ports can be enabled and disabled via the API. As a nice surprise, they all work just fine.

The issue puzzled me that why this SSH server is so special that only it fails the firewall API. Note that the services could be totally different behind the firewall but the filtering of ports should be pretty similar if not identical. I guess someone might have put in some logic to handle cases like ESXi lock-down mode. Anyway, it should have been QAed out because it can be easily automated with a script that runs against every new build.

To be sure it’s not a problem of my code, I further played with vSphere Client to disable the SSH server port there. No surprise that it didn’t work with an error dialog box popping up.

Was my environment special? I then searched the Internet and found a KB article “Disabling SSH services on an ESXi host using the vSphere Client fails with the error: Cannot change the host configuration” (http://kb.vmware.com/kb/2037544) in VMware community. Not only the issue was confirmed with ESXi 5.1, but a walk around is also provided.

So if you got into this issue, you’ve probably figured out what’s going on. If not yet, don’t be surprised if you’ll. You can try out the walk around in the KB. Hopefully it will be addressed in the next vSphere release. More than that is that the engineering team adds a test case to guard against the bug coming back.

This entry was posted in vSphere API and tagged . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

6 Comments

  1. Posted April 23, 2013 at 1:30 am | Permalink

    A Bug with Disabling SSH Service Port in vSphere 5.1 http://t.co/p5BSnbI0U8 via @sjin2008

  2. Posted April 23, 2013 at 2:12 am | Permalink

    A Bug with Disabling SSH Service Port in vSphere 5.1 (DoubleCloud) http://t.co/F34bQC1W7m

  3. Posted April 23, 2013 at 3:27 am | Permalink

    A Bug with Disabling SSH Service Port in vSphere 5.1 (DoubleCloud) http://t.co/DpLpADlam9

  4. Posted April 23, 2013 at 6:53 am | Permalink

    Internet security is very important now.

  5. Posted April 23, 2013 at 1:29 pm | Permalink

    Glad you posted this one. I never got around to doing a post on it. I definitely hope they fix this soon. The workaround every time I need SSH is not ideal.

  6. Posted April 23, 2013 at 1:48 pm | Permalink

    Agree, Shawn!

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • NEED HELP?


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__ doublecloud.org.

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.