ssh

NetApp OnTAP – add ssh keys

As we all know there is basically a limit of one ssh session to the filer. If you connect to your filer thru some unix/linux host it is a good practice to send each command as separate ssh command instead of constant ssh session. What do I mean by that? Instead of:

tomek@debian:~$ ssh -l root netapp01
root@netapp01’s password:

netapp01> df -Ag
Aggregate                total       used      avail capacity
aggr_root                  0GB        0GB        0GB      95%
aggr_root/.snapshot        0GB        0GB        0GB     —%
aggr0                     10GB        1GB        9GB      10%
aggr0/.snapshot            0GB        0GB        0GB     —%
netapp01> uptime
2:52pm up 18:31 47 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
netapp01> Connection to netapp01 closed by remote host.
Connection to netapp01 closed.

Let’s go with:

tomek@debian:~$ ssh netapp01 df -Ag
Aggregate                total       used      avail capacity
aggr_root                  0GB        0GB        0GB      95%
aggr_root/.snapshot        0GB        0GB        0GB     —%
aggr0                     10GB        1GB        9GB      10%
aggr0/.snapshot            0GB        0GB        0GB     —%

tomek@debian:~$ ssh netapp01 uptime
  2:52pm up 18:31 47 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops

You see the difference? Yep – first of all filer doesn’t ask about the password each time. Of course it has few  other adventages. First of all you can use all the nice features of bash (if you use /bin/bash in you linux/unix). So, for example you can go with:
  
tomek@debian:~$ ssh netapp01 df -Am |  grep -v snap
 Aggregate                total       used      avail capacity
aggr_root                900MB      856MB       43MB      95%
aggr0                  10800MB     1030MB     9769MB      10%



The other advantage of that way of working is that you don’t block the one available ssh session to the filer, especially useful in multi-admin environment.

So.. How to do it? I would go with couple of steps:
  

1. Create an user account in Data ONTAP


If your unix account is, for example, tomek, create same username in Data ONTAP. When making the ssh sessions you will just have to go with ssh filername   instead of ssh username@filername  or ssh -l username filername. To do so:


netapp01> useradmin user add tomek -g Administrators
New password:
Retype new password:
User <tomek> added.

2. Generate ssh keys 

  I won’t go deep into ssh keys. If you don’t understand what is a public key, what is a private key I would strongly recommend google it. But in simple steps you can generate your ssh keys like that:

tomek@debian:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tomek/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tomek/.ssh/id_rsa.
Your public key has been saved in /home/tomek/.ssh/id_rsa.pub.
The key fingerprint is:
fa:54:70:bb:61:4c:fd:3e:08:68:74:0f:94:95:51:ba tomek@debian

tomek@debian:~$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ1Acxv0WCAA0+NfKoOrFSVQL9jpc2hZrMbw5kDSEK8mZXH8pZAm/0XV9ncBoZjy35+Ih4qYDqS6aJyRvocynLgPQiYAdw9jMJvDsWR5OF5RWGILpHS+UDiw4hVMhGLNj2DmA3v/Jkl9vGfBObd7uhMyEn1CzG2D0xYLLPTb8JjsoBi4dsBXBd1w57kM5++gcPtT8DNu04JQkRZ7yEvgnBCr8YjSZ1wNSaV4HwrDyBzLz4VD87roAxKUemLF7y1L5e6dzikdMxl4xxTT3Gxwrh5XLdt7VR2sxpBT3c16Uiy8WQ+zYrIeH6Ih6BZLZgHhHau8JbYtBxe4MQb9O3jiFx tomek@debian

I recommend to use passphrase for a security reasons. If you won’t use passphrase, other user can copy (if, for example has an access to the root account) your private key and use it to login to filers as you.


3. Send the ssh key to the filer

Ssh public key should go to /etc/sshd/<user_name>/.ssh/authorized_keys. If you just created a new user this path does not exist. To create a path it gets a little bit tricky since mkdir is not a command you can use in normal operation ONTAP mode. To add this file you can always use cifs or nfs share to your /vol/vol0. If you don’t have such you need to use diaguser and go to systemshell. To do so:



– login to the filer and enter the advanced mode

 

tomek@debian:~$ ssh netapp01
tomek@netapp01’s password:

netapp01> priv set advanced

– enable diaguser and set password for diaguser



netapp01*> useradmin diaguser unlock

netapp01*> useradmin diaguser password

Please enter a new password:
Please enter it again:

– go to systemshell using username:diag, password that you set up in previous step

netapp01*> systemshell

Data ONTAP/amd64 (netapp01) (ttyp0)

login: diag
Password:

Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

netapp01%

– create the directory and user VI to add a public key to the authorized_keys file



netapp01% mkdir -p /mroot/etc/sshd/tomek/.ssh
netapp01% vi /mroot/etc/sshd/tomek/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ1Acxv0WCAA0+NfKoOrFSVQL9jpc2hZrMbw5kDSEK8mZXH8pZAm/0XV9ncBoZjy35+Ih4qYDqS6aJyRvocynLgPQiYAdw9jMJvDsWR5OF5RWGILpHS+UDiw4hVMhGLNj2DmA3v/Jkl9vGfBObd7uhMyEn1CzG2D0xYLLPTb8JjsoBi4dsBXBd1w57kM5++gcPtT8DNu04JQkRZ7yEvgnBCr8YjSZ1wNSaV4HwrDyBzLz4VD87roAxKUemLF7y1L5e6dzikdMxl4xxTT3Gxwrh5XLdt7VR2sxpBT3c16Uiy8WQ+zYrIeH6Ih6BZLZgHhHau8JbYtBxe4MQb9O3jiFx tomek@debian
~

/mroot/etc/sshd/tomek/.ssh/authorized_keys: 1 lines, 394 characters.

– exit the systemshell and for security reasons lock the diag user, exit the advanced mode


netapp01% exit
logout
netapp01*> useradmin diaguser lock

netapp01*> priv set
netapp01> Connection to netapp01 closed by remote host.
Connection to netapp01 closed.

That’s t! Enjoy your password-less access to the filer! 



tomek@debian:~$ ssh netapp01 df -m
Filesystem               total       used      avail capacity  Mounted on
/vol/vol0/               808MB      187MB      621MB      23%  /vol/vol0/.snapshot       42MB       99MB        0MB     234%  /vol/nfs/                972MB        0MB      972MB       0%  /vol/nfs/.snapshot        51MB        0MB       50MB       1%