February 3rd, 2009

This is a must do task if you want to securely script the NetApp or N-Series filers in any way. I never use RSH and don’t recommend using it either. Creating pre-shared keys is pretty straight forward and simple, and should be a one time operation anyway, so doesn’t add much hassle, but adds plenty of peace of mind. This is vital if you want to use any of the scripts I have listed in my blog pages.

Required software:

·         putty

·         plink

·         puttygen

(I have no affiliation with the above, other software will work and do the job, but I find the above easiest and that’s what this page is written about.)

1)      Enable SSH on the filer and generate the default keys (either command line of filer view works equally well)

2)      Run puttygen and set the following settings

a.       Parameters: SSH-2 RSA

b.      Number of bits in generated key: 1024

3)      Click Generate and do some disco moves with the mouse

4)      Copy the contents of the “Public key for pasting into OpenSSH authorised_key file” to the clipboard.

5)      Click “Save public key” and save the file as “

6)      Click “Save private key” and save the file as “id_rsa.ppk

7)      Open up the filers c$ or etc$ share and create the folder structure “/etc/sshd/root/.ssh”. Using the Windows command line to create “.ssh” as you won’t be able to from Windows Explorer. You may need to create the folder locally, then copy it across

8)      Create a text file “authorized_keys” (American spelling) and paste the previously copied contents into this file. Best use Wordpad as Notepad can mess with the line breaks. If this file already exists, make sure to only append the new contents to this file or you’ll remove any already configured pre-shared keys.

9)      The very first time you open an SSH session, you will always be asked to save the fingerprint, this is expected. After this has been saved, you shouldn’t be prompted for anything.

10)   Test with plink:

a.       plink.exe root@filer_name -i “id_rsa.ppk” df -h

b.      Should output “df -h” from the filer, any command can be used obviously

11)   Test with putty:

a.       Session:

                                                               i.      Hostname: IP / hostname

                                                             ii.      Protocol: SSH

b.      Connection – Data:

                                                               i.      Auto-login username: root

c.       Connection – SSH:

                                                               i.      Preferred SSH Protocol Version: v2 only

d.      Connection – SSH – Auth:

                                                               i.      Browse to the “id_rsa.ppk” file we created earlier”

e.      Save this session and test

As an additional note, filer commands can be daisy chained together to reduce the number of SSH connections made in your scripts. So you could do something like…

plink.exe root@filer -i “id_rsa_ppk” “snap list; snap create vol0 snap1; snap create vol0 snap2; snap delete vol0 snap3”

Most of the above is from memory, so let me know if anything doesn’t work or is incorrect and I’ll update it.

  1. andy
    | #1

    cool post… thanks, I was looking for this

  2. | #2

    Great post :) Only thing I can see which is wrong is that DSA keys are required, not RSA.

  3. | #3

    I always get the 2 mixed up anyway! However for NetApp systems, I think you can actually use either DSA or RSA. The sysadmin guide simple states to create and configure both DSA and RSA!

  4. Gavin
    | #4

    Hi Chris still getting asked for a passsword when using plink. I am using an AD account and once I enter the password the command runs but the idea here is not to need entry of a password.

  5. Gavin
    | #5

    I am getting server refused our key so I presume I have done something wrong

  6. | #6

    Can you step through the process you’ve done so far?

  7. Bullet
    | #7

    @Chris Kranz
    Hi Chris
    I have stepped through exactly as you have written however I get from opening the PuTTY session
    Using username “root”.
    Server refused our key
    root@w.x.y.z’s password:

  8. Bullet
    | #8

    @Chris Kranz
    Sorry – pressed the enter button before I finished.
    plink gives the following
    C:\Program Files (x86)\PuTTY>plink root@w.x.y.z -i “c:\keys\id_rsa.ppk” df -g
    Server refused our key
    root@‘s password:

    rdfile /etc/sshd/root/.ssh/authorized_keys
    Comment: “rsa-key-20130214″


    Is there any way you can set the permissions of the .ssh directory and authorized_keys file as that is what is required in a UNIX system e.g. chmod 600

    There are other posts that describe a potential fix but I have worked through these without success. e.g.

  9. NetApp
    | #9

    To add the keys to the filer you can also use powershell nowadays:
    Connect-NaController <> -Credential root
    New-NaDirectory -Path “/vol/vol0/etc/sshd/root” -Permission 755
    New-NaDirectory -Path “/vol/vol0/etc/sshd/egranneman-a/.ssh” -Permission 755
    Write-NaFile -Path “/vol/vol0/etc/sshd/egranneman-a/.ssh/authorized_keys” -Data “<>”

    this will create the files and insert the key into the authorized_keys file.

  1. No trackbacks yet.

This site is not affiliated or sponsored in anyway by NetApp or any other company mentioned within.
%d bloggers like this: