Home > vSphere API > A Bug with Disabling SSH Service Port in vSphere 5.1

A Bug with Disabling SSH Service Port in vSphere 5.1

April 23rd, 2013 Leave a comment Go to comments

While playing vSphere API last week, I got into an issue that I cannot disable the SSH server with Firewall APIs (see HostFirewallSystem). The following call would throw an exception:

hfs.disableRuleset(“sshServer”);

Time to learn how to "Google" and manage your VMware and clouds in a fast and secure

HTML5 App

There are many other different services like “sshClient” whose ports can be enabled and disabled via the API. As a nice surprise, they all work just fine.

The issue puzzled me that why this SSH server is so special that only it fails the firewall API. Note that the services could be totally different behind the firewall but the filtering of ports should be pretty similar if not identical. I guess someone might have put in some logic to handle cases like ESXi lock-down mode. Anyway, it should have been QAed out because it can be easily automated with a script that runs against every new build.

To be sure it’s not a problem of my code, I further played with vSphere Client to disable the SSH server port there. No surprise that it didn’t work with an error dialog box popping up.

Was my environment special? I then searched the Internet and found a KB article “Disabling SSH services on an ESXi host using the vSphere Client fails with the error: Cannot change the host configuration” (http://kb.vmware.com/kb/2037544) in VMware community. Not only the issue was confirmed with ESXi 5.1, but a walk around is also provided.

So if you got into this issue, you’ve probably figured out what’s going on. If not yet, don’t be surprised if you’ll. You can try out the walk around in the KB. Hopefully it will be addressed in the next vSphere release. More than that is that the engineering team adds a test case to guard against the bug coming back.

Categories: vSphere API Tags:
  1. April 23rd, 2013 at 01:30 | #1

    A Bug with Disabling SSH Service Port in vSphere 5.1 http://t.co/p5BSnbI0U8 via @sjin2008

  2. April 23rd, 2013 at 02:12 | #2

    A Bug with Disabling SSH Service Port in vSphere 5.1 (DoubleCloud) http://t.co/F34bQC1W7m

  3. April 23rd, 2013 at 03:27 | #3

    A Bug with Disabling SSH Service Port in vSphere 5.1 (DoubleCloud) http://t.co/DpLpADlam9

  4. April 23rd, 2013 at 06:53 | #4

    Internet security is very important now.

  5. April 23rd, 2013 at 13:29 | #5

    Glad you posted this one. I never got around to doing a post on it. I definitely hope they fix this soon. The workaround every time I need SSH is not ideal.

  6. April 23rd, 2013 at 13:48 | #6

    Agree, Shawn!

  1. No trackbacks yet.