SSH key sharing between ESX and NetApp

Setup SSH between ESX and NetApp to not use passwords.
VMWare recommends setting up shared keys between your ESX servers and your Network Appliance Filer to facilitate configuration, status checks and troubleshooting. I recently set this up so that the PowerChute Network Shutdown on my VMware ESX server could execute a script to shutdown all the VMWare servers and then shutdown the NetApp before losing power.
Using shared keys is great for trusted machines. As a consultant, I was concerned that later administrators would change the root password and not update the shutdown script to use the new password. That would cause the shutdown to fail and possibility corrupts the NetApp. I wanted to use SSH as it is more secure than rsh and hosts.equiv.

On the NetApp, we need to create an authorized_keys file. However, NetApp’s console limits access to the operating structure and does not have standard UNIX mkdir or file editing tools. To edit the file structure, we must access the root volume from another machine using FTP, Windows File mounts (CIFS) or NFS. Since my server was only using FCP (Fiber), I opted for using the FTP server on NetApp.

Create a root account and enable the FTP server on the NetApp
The FTP server does not use the normal root login. It uses the /etc/password file which is not synchronized with any outher authentication scheme. First we need to create an encrypted password. NetApp has a tool in CIFS to create the encrytpted string. You may need to enable CIFS first before executing this command and you don’t need to do this on each NetApp you are conifuring. Once you have the string, you copy/paste it on to other NetApps (I had two to configure). Log into the NetApp and execute cifs passwd followed by your desired password. The NetApp will respond with the encrypted string. Make sure you copy the entire string. Watch for punctuation at the beginning or end.

Next, edit the /etc/password file. Since NetApp does not have an edit function, we need to read the file then write a new one. Execute rdfile /etc/passwd Look at the existing file to see if there are additional entries. Other file sharing systems can use the UNIX authentication method – aka /etc/passwd.

Now we need to create the new /etc/passwd file. Execute wrfile /etc/passwd and create the root entry by typing in root: followed by the new encrypted password. Then finish the line with :0:1::/: and press return. Then paste the rest of the old /etc/password into the new file. You may want to create the new file in Notepad then copy the entire file at once. Press control-c to exit (Control-d is the preferred method but it also closes the SSH session). Execute rdfile /etc/passwd to verify your new file. (Note your password will be different).
root:_SwdOnr(sw.:0:1::/:
pcuser::65534:65534::/:
nobody::65535:65535::/:
ftp::65533:65533:FTP Anonymous:/home/ftp:

Now we can enable the FTP server on the NetApp. Execute options ftpd.enable on

Create the key file on the ESX server
Now we need to create the key file on the ESX server. Login as root on the ESX server and execute ssh-keygen -t des Accept the default directory and leave the password empty.
Enable ftp client on the ESX server by executing esxcfg-firewall -e ftpClient
FTP to the NetApp from the ESX server by executing ftp NetApp_IP_ADDR Login using root and your new password (the UNencrytped version). Create the root user SSH directory by executing mkdir /etc/sshd/root/.ssh/
Display the DSA key so you can copy the contents: cat /root/.ssh/id_dsa.pub

Create the Authorized_keys file on the NetApp
Back on the NetApp, create the trusted key file by executing wrfile /etc/sshd/root/.ssh/authorized_keys Paste the contents of ESX id_dsa.pub into the file. Control-c to exit wrfile.
Now that we are done with FTP, turn it off by executing options ftpd.enable off
Logout by pressing Control-D ( NetApp only allows 1 ssh connection at a time, so logout before testing)

Test the configuration
From the ESX server, execute the following to test:
ssh -c 3des-cbc root@NetApp_IP_ADDR help
This may ask you to allow the key to be trusted, answer yes. You then should see the NetApp help text without being asked for the password. We must tell ESX which encryption method to use since the ESX server and NetApps default to RSA and DES respectively.

Advertisements

3 thoughts on “SSH key sharing between ESX and NetApp”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s