July 22nd, 2009

Rather than write this up myself all over again, I’m going to steal some content from another IT pro, Scott Lowe ( Use this in conjunction with other my other details on setting this up from Windows and Linux to have almost complete automation of  a lot of daily admin tasks.

Directly from:

By default, the SSH configuration on VMware ESX Server only supports AES encryption types (specifically, AES-256 and AES-128).  If you need SSH connectivity from ESX Server to a NetApp storage system running Data ONTAP, you’ll need to modify this to support 3DES.

This kind of connectivity would be necessary if you were interested in running scripts on ESX Server that connected to the NetApp storage system via SSH to run commands (for example, to initiate a snapshot via the command line).  This arrangement is described in this document from NetApp.

To modify the ciphers supported by ESX Server, edit the /etc/ssh/ssh_config file and change this line:

Ciphers aes256-cbc,aes128-cbc

Instead, it should look like this:

Ciphers aes256-cbc,aes128-cbc,3des-cbc

This will enable SSH connections from ESX Server to find a compatible cipher with the SSH daemon running in Data ONTAP.  Note that we change the SSH configuration on ESX Server because, as far as I know, the ciphers supported by the SSH daemon in Data ONTAP are not configurable by the user.

Note that you’ll also need to enable SSH traffic through the ESX firewall:

esxcfg-firewall -e sshClient

And, of course, you’ll need to configure and enable SSH access on the Network Appliance storage system itself using the “secureadmin” command in Data ONTAP:

secureadmin setup ssh
secureadmin enable ssh2

Once SSH is reconfigured on ESX Server and configured/enabled in Data ONTAP, then using SSH to run commands remotely from ESX Server to the NetApp storage system should work without any problems. 

To automate this on the NetApp side without requiring a password, you actually need to place it into a specific user folder, so \\filer\etc$\sshd\root\.ssh\authorized_keys, and make sure you append to this file with each new key you need to add.

To make it a bit more secure, you can use a user other than root and setup RBAC to limit what commands can actually be run with this SSH pre-shared key scripting style.

I use this a hell of a lot, and have a couple of pages on configured pre-shared authentication from Windows and Linux to NetApp boxes. The NetApp systems are great to script this way!

  1. No comments yet.
  1. No trackbacks yet.

This site is not affiliated or sponsored in anyway by NetApp or any other company mentioned within.
%d bloggers like this: