As we all know there is basically a limit of one ssh session to the filer. If you connect to your filer thru some unix/linux host it is a good practice to send each command as separate ssh command instead of constant ssh session. What do I mean by that? Instead of:
tomek@debian:~$ ssh -l root netapp01
root@netapp01’s password:
netapp01> df -Ag
Aggregate total used avail capacity
aggr_root 0GB 0GB 0GB 95%
aggr_root/.snapshot 0GB 0GB 0GB —%
aggr0 10GB 1GB 9GB 10%
aggr0/.snapshot 0GB 0GB 0GB —%
netapp01> uptime
2:52pm up 18:31 47 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
netapp01> Connection to netapp01 closed by remote host.
Connection to netapp01 closed.
Let’s go with:
tomek@debian:~$ ssh netapp01 df -Ag
Aggregate total used avail capacity
aggr_root 0GB 0GB 0GB 95%
aggr_root/.snapshot 0GB 0GB 0GB —%
aggr0 10GB 1GB 9GB 10%
aggr0/.snapshot 0GB 0GB 0GB —%
tomek@debian:~$ ssh netapp01 uptime
2:52pm up 18:31 47 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
You see the difference? Yep – first of all filer doesn’t ask about the password each time. Of course it has few other adventages. First of all you can use all the nice features of bash (if you use /bin/bash in you linux/unix). So, for example you can go with:
tomek@debian:~$ ssh netapp01 df -Am | grep -v snap
Aggregate total used avail capacity
aggr_root 900MB 856MB 43MB 95%
aggr0 10800MB 1030MB 9769MB 10%
The other advantage of that way of working is that you don’t block the one available ssh session to the filer, especially useful in multi-admin environment.
So.. How to do it? I would go with couple of steps:
1. Create an user account in Data ONTAP
If your unix account is, for example, tomek, create same username in Data ONTAP. When making the ssh sessions you will just have to go with ssh filername instead of ssh username@filername or ssh -l username filername. To do so:
netapp01> useradmin user add tomek -g Administrators
New password:
Retype new password:
User <tomek> added.
2. Generate ssh keys
I won’t go deep into ssh keys. If you don’t understand what is a public key, what is a private key I would strongly recommend google it. But in simple steps you can generate your ssh keys like that:
tomek@debian:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tomek/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tomek/.ssh/id_rsa.
Your public key has been saved in /home/tomek/.ssh/id_rsa.pub.
The key fingerprint is:
fa:54:70:bb:61:4c:fd:3e:08:68:74:0f:94:95:51:ba tomek@debian
tomek@debian:~$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ1Acxv0WCAA0+NfKoOrFSVQL9jpc2hZrMbw5kDSEK8mZXH8pZAm/0XV9ncBoZjy35+Ih4qYDqS6aJyRvocynLgPQiYAdw9jMJvDsWR5OF5RWGILpHS+UDiw4hVMhGLNj2DmA3v/Jkl9vGfBObd7uhMyEn1CzG2D0xYLLPTb8JjsoBi4dsBXBd1w57kM5++gcPtT8DNu04JQkRZ7yEvgnBCr8YjSZ1wNSaV4HwrDyBzLz4VD87roAxKUemLF7y1L5e6dzikdMxl4xxTT3Gxwrh5XLdt7VR2sxpBT3c16Uiy8WQ+zYrIeH6Ih6BZLZgHhHau8JbYtBxe4MQb9O3jiFx tomek@debian
I recommend to use passphrase for a security reasons. If you won’t use passphrase, other user can copy (if, for example has an access to the root account) your private key and use it to login to filers as you.
3. Send the ssh key to the filer
Ssh public key should go to /etc/sshd/<user_name>/.ssh/authorized_keys. If you just created a new user this path does not exist. To create a path it gets a little bit tricky since mkdir is not a command you can use in normal operation ONTAP mode. To add this file you can always use cifs or nfs share to your /vol/vol0. If you don’t have such you need to use diaguser and go to systemshell. To do so:
– login to the filer and enter the advanced mode
tomek@debian:~$ ssh netapp01
tomek@netapp01’s password:
netapp01> priv set advanced
– enable diaguser and set password for diaguser
netapp01*> useradmin diaguser unlock
netapp01*> useradmin diaguser password
Please enter a new password:
Please enter it again:
– go to systemshell using username:diag, password that you set up in previous step
netapp01*> systemshell
Data ONTAP/amd64 (netapp01) (ttyp0)
login: diag
Password:
Warning: The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly. Use this environment
only when directed to do so by support personnel.
netapp01%
– create the directory and user VI to add a public key to the authorized_keys file
netapp01% mkdir -p /mroot/etc/sshd/tomek/.ssh
netapp01% vi /mroot/etc/sshd/tomek/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ1Acxv0WCAA0+NfKoOrFSVQL9jpc2hZrMbw5kDSEK8mZXH8pZAm/0XV9ncBoZjy35+Ih4qYDqS6aJyRvocynLgPQiYAdw9jMJvDsWR5OF5RWGILpHS+UDiw4hVMhGLNj2DmA3v/Jkl9vGfBObd7uhMyEn1CzG2D0xYLLPTb8JjsoBi4dsBXBd1w57kM5++gcPtT8DNu04JQkRZ7yEvgnBCr8YjSZ1wNSaV4HwrDyBzLz4VD87roAxKUemLF7y1L5e6dzikdMxl4xxTT3Gxwrh5XLdt7VR2sxpBT3c16Uiy8WQ+zYrIeH6Ih6BZLZgHhHau8JbYtBxe4MQb9O3jiFx tomek@debian
~
/mroot/etc/sshd/tomek/.ssh/authorized_keys: 1 lines, 394 characters.
– exit the systemshell and for security reasons lock the diag user, exit the advanced mode
netapp01% exit
logout
netapp01*> useradmin diaguser lock
netapp01*> priv set
netapp01> Connection to netapp01 closed by remote host.
Connection to netapp01 closed.
That’s t! Enjoy your password-less access to the filer!
tomek@debian:~$ ssh netapp01 df -m
Filesystem total used avail capacity Mounted on
/vol/vol0/ 808MB 187MB 621MB 23% /vol/vol0/.snapshot 42MB 99MB 0MB 234% /vol/nfs/ 972MB 0MB 972MB 0% /vol/nfs/.snapshot 51MB 0MB 50MB 1%