Network and Storage Protocols

passwordless ssh to filer

TDUBB1234

I am trying to ssh without password to my filers but after i generated my ssh keys, I tried to create a folder

\\filer\C$\etc$\sshd\root

it will not allow me to create a root directory

I am trying to copy this authorized_keys file to

\\filer\c$\etc\sshd\root\.ssh

help

30 REPLIES 30

aborzenkov

It is
filer\C$\etc\sshd\root not
filer\C$\etc$\sshd\root.

TDUBB1234

yes its that directory but I cannot create the root directory

aborzenkov

Are you able to create any directory under /etc at all? Do you have CIFS license? What is security style of root volume?

RAFAEL_GUEDES

If you do not have neither CIFS nor NFS licenses, you could create this directory using diag account.

Note: take care using this account.

First, enter in advanced mode:

filer> priv set advanced

Now, unlock and set a password to diag account:

filer*> useradmin diaguser unlock

filer*> useradmin diaguser password

Enter in the systemshell, create the directory you need and put the pubkey generated in the authorized_keys file:

filer*> systemshell

login: diag

Password: the same you set in the previous step

filer% mkdir -p /mroot/etc/sshd/root/.ssh

filer% vi /mroot/etc/sshd/root/.ssh/authorized_keys

filer% sudo chown -R root:wheel /mroot/etc/sshd/root

filer% sudo chmod -R 0600 /mroot/etc/sshd/root


Then, exit systemshell, lock diag account and exit advanced mode:

filer% exit

filer*> useradmin diaguser lock

filer*> priv set admin

aborzenkov

You should have added that it applies to Data ONTAP 8.x only.

RAFAEL_GUEDES

Hi aborzenkov, you are right!

But even Data ONTAP is previous than 8.x , it is possible to accomplish this task only through CLI.

filer> wrfile /etc/authorized_keys

filer> ndmpd status

filer> ndmpd on (if is off)

filer> ndmpcopy /etc/authorized_keys /etc/sshd/root/.ssh

filer> ndmp off (if it was off in the previous step)

filer> priv set diag

filer> rm /etc/authorized_keys

filer> priv set admin

D_BEREZENKO

The easiest way, thank you it is working!

TDUBB1234

ok i created the dir and put in the authorized_keys file under


filer\c$\etc\sshd\root

but still ssh from my management workstation asking for password

RAFAEL_GUEDES

The right path is:

filer\c$\etc\sshd\root\.ssh

Also make sure the option bellow is set to 'on':

options ssh.pubkey_auth.enable

TDUBB1234

still not working. strange.

options ssh

ssh.access *

ssh.enable on

ssh.idle.timeout 0

ssh.passwd_auth.enable on

ssh.port 22

ssh.pubkey_auth.enable on

ssh1.enable on

ssh2.enable on

authorized_keys is under


filer\c$\etc\root\.ssh\authorized_keys

authorized keys was generated from my mgmt workstation

RAFAEL_GUEDES

Could you show how you generate your keys?

RAFAEL_GUEDES

In time: the path you put is not right yet.

It is the right:

filer\c$\etc\sshd\root\.ssh

Note: best practice is to disable ssh1 because it is not secure.

TDUBB1234

ssh-keygen -t rsa -b 1024

ssh-keygen -t dsa -b 1024

cat id_dsa.pub > authorized_keys

cat id_rsa.pub >> authorized_keys

RAFAEL_GUEDES

These commands where executed in the filer or in a Linux host?

TDUBB1234

on the filer itself in systemshell.

RAFAEL_GUEDES

Usually I run this command to generate pubkey at the client side, then I put the pubkey in the filer.

TDUBB1234

you are saying i dont need to use authorized_keys? or just copy the .pub keys over?

RAFAEL_GUEDES

These are all the steps I do:

In the client side (Linux host):

#ssh-keygen –t rsa (respond all the questions blank)

It will generate a private key (/root/.ssh/id_rsa) and a public key (/root/.ssh/id_rsa.pub). You need to put the content of the public key inside the authorized_keys file in the filer.

In the filer side:

First, enter in advanced mode:

filer> priv set advanced


Now, unlock and set a password to diag account:

filer*> useradmin diaguser unlock

filer*> useradmin diaguser password


Enter in the systemshell, create the directory you need and put the pubkey generated in the authorized_keys file:

filer*> systemshell

login: diag

Password: the same you set in the previous step

filer% mkdir -p /mroot/etc/sshd/root/.ssh

filer% vi /mroot/etc/sshd/root/.ssh/authorized_keys (here is where you put the content of the id_rsa.pub generate in the client)

filer% sudo chown -R root:wheel /mroot/etc/sshd/root

filer% sudo chmod -R 0600 /mroot/etc/sshd/root


Then, exit systemshell, lock diag account and exit advanced mode:

filer% exit

filer*> useradmin diaguser lock

filer*> priv set admin

hope it help! 😃

TDUBB1234

ok i finally got it to work. I guess the copy and paste carried over some weird characters.

i was able to scp the file to the filer and it works now.

thanks a lot

TDUBB1234

this path is not right?


filer\c$\etc\sshd\root\.ssh\authorized_keys

i have no cifs license

Public