SSH from ESX Server to Data ONTAP

Wednesday, December 27, 2006 in Interoperability by slowe | 5 comments

By default, the SSH configuration on VMware ESX Server only supports AES encryption types (specifically, AES-256 and AES-128).  If you need SSH connectivity from ESX Server to a Network Appliance storage system running Data ONTAP, you’ll need to modify this to support 3DES.

This kind of connectivity would be necessary if you were interested in running scripts on ESX Server that connected to the NetApp storage system via SSH to run commands (for example, to initiate a snapshot via the command line).  This arrangement is described in this document from NetApp.

To modify the ciphers supported by ESX Server, edit the /etc/ssh/ssh_config file and change this line:

Ciphers aes256-cbc,aes128-cbc

Instead, it should look like this:

Ciphers aes256-cbc,aes128-cbc,3des-cbc

This will enable SSH connections from ESX Server to find a compatible cipher with the SSH daemon running in Data ONTAP.  Note that we change the SSH configuration on ESX Server because, as far as I know, the ciphers supported by the SSH daemon in Data ONTAP are not configurable by the user.

Note that you’ll also need to enable SSH traffic through the ESX firewall:

esxcfg-firewall -e sshClient

And, of course, you’ll need to configure and enable SSH access on the Network Appliance storage system itself using the “secureadmin” command in Data ONTAP:

secureadmin setup ssh
secureadmin enable ssh2

Once SSH is reconfigured on ESX Server and configured/enabled in Data ONTAP, then using SSH to run commands remotely from ESX Server to the NetApp storage system should work without any problems.  For complete automation, you’ll also want to setup SSH shared keys as well, but I’ll save those details for a future article.

Tags: , , , , , ,

  1. remco’s avatar

    remco on Wednesday, April 4, 2007 at 2:34 pm

    For complete automation, you’ll also want to setup SSH shared keys as well, but I’ll save those details for a future article.

    Did you already written this article, I`m having troubels configuring the keys in the authorized_keys

    Thanks, and regards,
    Remco

  2. slowe’s avatar

    slowe on Wednesday, April 4, 2007 at 8:54 pm

    Remco,

    No, I haven’t written that article yet–sorry! Been terribly busy. I hope to write that soon, so stay tuned.

    Thanks for reading!

  3. Scott Francis’s avatar

    Scott Francis on Thursday, June 28, 2007 at 10:51 am

    if you mount the NetApp’s vol0 somewhere you can probably view/modify the sshd_config … it’s probably stored in /etc along with /etc/exports and other interesting config files. As for key-based auth setup, that’s just a matter of generating keys somewhere, putting the private key on the ESX host (say, /root/.ssh/id_dsa.netapp) and the public key in, say, /vol/vol0/authorized_keys on the NetApp (not sure of exact location, haven’t set this up yet myself). Make sure permissions are good and then ssh from the ESX host with “ssh -i /root/.ssh/id_dsa.netapp root@netapp”

    /sf

  4. Jacob’s avatar

    Jacob on Wednesday, August 15, 2007 at 3:18 am

    To generate public/private keys use:
    ssh_keygen -t dsa

    Copy then the id_dsa.pub to \filer\etc$\sshd\.ssh\authorized_keys
    (authorized_keys is a file)

    You can log in from esx to filer without password.

  5. Chris Kranz’s avatar

    Chris Kranz on Friday, January 23, 2009 at 10:45 am

    To automate this on the NetApp side you actually need to place it into a specific user folder, so \\filer\etc$\sshd\root\.ssh\authorized_keys, and make sure you append to this file with each new key you need to add.

    To make it a bit more secure, you can use a user other than root and setup RBAC to limit what commands can actually be run with this SSH pre-shared key scripting style.

    I use this a hell of a lot, and have a couple of pages on configured pre-shared authentication from Windows and Linux to NetApp boxes. The NetApp systems are great to script this way!