How to enable/disable SSH on all ESXi hosts in a cluster w/PowerCLi


This time we will look at just two functions.

Enable-VMHostSSH/Disable-VMHostSSH from my PowerCLi Vi-Module.

  • Very often, virtual infrastructure administrators must temporarily enable SSH on the ESXi host(s), for example, to run the esxtop or to clarify the PSOD reasons or to troubleshoot storage system (HBA, Multi pathing, etc.). Through SSH you can even eject the CDROM by executing eject /dev/cdrom/mpx.* to determine the host’s location in a rack or connect to DCUI.

  • To enable SSH through a GUI with vSphere/Web Client, you should make about 7-8 clicks considering opening the firewall. You will have to do this for the each host individually. Then all the same in the reverse order to disable SSH!
    Total, for a small cluster of 5 hosts it will take around 70 clicks.

  • With the help of my functions it is two short lines, first to enable and the second to disable SSH. Use your Cluster name(s) or omit it to execute the function on all Clusters in Inventory.

Get-Cluster DEV | Enable-VMHostSSH
Get-Cluster | Enable-VMHostSSH
Get-Cluster DEV, TEST | Disable-VMHostSSH
Get-Datacenter North | Get-Cluster | Disable-VMHostSSH


  • The functions not only start/stop the SSH daemon, but also open/block SSH access by host’s firewall.
  • As expected, both functions return structured objects. I would like to draw your attention only to two properties of these objects – SSHDaemon and SSHEnabled.

SSHDaemon – the state of the TSM-SSH daemon.


  • It may be one of these three values: Running/NotRunning/Unknown. If on one of the hosts you got Unknown state, you will find the reason in one of these properties: State or PowerState (the host is not powered on now or unreachable).

SSHEnabled presents the firewall exception rule state.


  • If you use optional parameter -BlockFirewall, the Disable-VMHostSSH function will try to block SSH traffic (TCP:22) by host’s firewall.
  • When using this parameter, the SSHEnabled property must become False (i.e. the firewall blocked), but this does not happen, if the SSH Server Firewall Exception Rule is categorized as Required Services (i.e. mandatory). In addition, you will see the error message Block firewall ports in the Recent Tasks pane.


  • This is not critical at all. There is good enough that the SSH daemon is stopped. This situation described in the VMware KB2037544.
  • If you still want to be able to block SSH traffic by firewall, this article will help you. The solution proposed in it requires to enable SSH too, so you can already do that by the Enable-VMHostSSH.

  • Both the functions support -Confirm parameter

Get-Cluster | essh –Confirm:$false
Get-Cluster | dssh –Confirm:$false
  • Well, despite the fact that the functions are very easy to use, I recommend you to take a look at the examples and content based help.
Get-Help Enable-VMHostSSH -Examples
Get-Help Disable-VMHostSSH –Examples
Get-Help Enable-VMHostSSH -Full
Get-Help Disable-VMHostSSH –Full
Get-Help Disable-VMHostSSH –Parameter BlockFirewall
Get-Alias –Definition Enable-VMHostSSH
Get-Alias –Definition Disable-VMHostSSH

You may also like:

Get-VMHostGPU – Get ESXi GPU info
Get-VMHostFirmwareVersion – Get ESXi servers BIOS/Firmware version
Set-VMHostNtpServer – Configure ESXi hosts NTP settings
Compare-VMHost – Compare two or more ESXi hosts

3 thoughts on “How to enable/disable SSH on all ESXi hosts in a cluster w/PowerCLi

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s