Enabling lockdown mode affects which users are authorized to access host services.

Users who were logged in to the ESXi Shell before lockdown mode was enabled remain logged in and can run commands. However, these users cannot disable lockdown mode. No other users, including the root user and users with the Administrator role on the host, can use the ESXi Shell to log in to a host that is in lockdown mode.

Users with administrator privileges on the vCenter Server system can use the vSphere Client to disable lockdown mode for hosts that are managed by the vCenter Server system. Root users and users with the Administrator role on the host can always log directly in to the host using the Direct Console User Interface (DCUI) to disable lockdown mode. If the host is not managed by vCenter Server or if the host is unreachable, you must reinstall ESXi.

Note

Lockdown mode does not apply to root users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH when the host is in lockdown mode.

Different services are available to different types of users when the host is running in lockdown mode, compared to when the host is running in normal mode. Non-root users cannot run system commands in the ESXi Shell.

Lockdown Mode Behavior

Service

Normal Mode

Lockdown Mode

vSphere WebServices API

All users, based on ESXi permissions

vCenter only (vpxuser)

CIM Providers

Root users and users with Admin role on the host

vCenter only (ticket)

Direct Console UI (DCUI)

Root users and users with Admin role on the host

Root users

ESXi Shell

Root users and users with Admin role on the host

No users

SSH

Root users and users with Admin role on the host

No users