Sun Storagetek[TM] 5000 Series NAS: How to Configure a 5210/5310 for secure shell (ssh) connectivity

Asset ID:	1-71-1005127.1
Update Date:	2010-08-05
Keywords:

Solution Type Technical Instruction Sure

Solution 1005127.1 : Sun Storagetek[TM] 5000 Series NAS: How to Configure a 5210/5310 for secure shell (ssh) connectivity

Related Items


Sun Storage 5210 NAS Appliance
 Sun Storage 5310 NAS Appliance
 Sun Storage 5310 NAS Gateway System

Related Categories


GCS>Sun Microsystems>Storage - Disk>Network Attached Storage

PreviouslyPublishedAs
207205

Description
The purpose of this document is to provide the steps necessary to configure the Sun Storagetek[TM] 5210/5310 NAS for Secure Shell (ssh connectivity)

Steps to Follow

Secure Shell(ssh) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network.

ssh connects and logs into the specified hostname. The user must prove his or her identity to the remote machine before being allowed to log in.
At first, the client attempts to authenticate using the public key method. If this method fails, password authentication is tried.

CONFIGURATION

SSH Key Generation

If the user has been previously configured for ssh, the public keys are located in the /.ssh directory and are found in the files id_rsa.pub and/or id_dsa.pub
The public key can be transferred to the 5210/5310 as detailed below.
If the /.ssh directory or the id_*.pub files do not exist, this user has not yet configred ssh.
To configure ssh (and generate the keys) the user must run the following Solaris program:
/bin/ssh-keygen
This program will ask for the directory location for the key files, and if a passphrase will be required when using ssh to log into a remote host. See the dialog below for an example of the ssh-keygen run.
# /bin/ssh-keygen
Enter file in which to save the key (/.ssh/id_rsa):
Generating public/private rsa key pair.
Enter passphrase(empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /.ssh/id_rsa.
Your public key has been saved in /.ssh/id_rsa.pub.
The key fingerprint is:
md5 1024 f7:00:fd:f6:ae:65:3b:65:91:fa:82:fe:38:1b:14:24 @

In the above example, the file containing the key is not to be changed, and no passphrase was supplied. If a passphrase is desired, it can be entered when running ssh-keygen but do not change the default key file.
Now that the key files exist in /.ssh, they can be transferred to the 5210/5310. In order to transfer the key file, ftp must be enabled on the NAS unit.

Enable FTP on the 5210/5310

Telnet to the 5210/5310 and launch the commandline menu. Hit the spacebar until "FTP Configuration" is viable under the extensions column.
Enter the letter preceding the "FTP Configuration" selection
Choose 1 to "Edit Fields"
"Enable FTP" must be set to "Yes"
At a minimum, you must set "Allow admin access" to "Yes"

(The other fields are optional)

Save the configuration changes by entering 7

Propagation of key to 5210/5310

Now that the 5210/5310 is FTP enabled, the public key created above must be sent to the 5210/5310 and located in the /dvol/etc directory under the name ssh2auth.key.
The FTP session is established and admin is used as the username for login. If your admin user is password protected, you will have to enter it as well.
The steps to perform the ftp transfer are shown below:

NOTE: for this example, 5310NAS is used as the hostname and the userid is assumed to be user.

# ftp 5310NAS
Connected to 5310NAS.
220-Local time is now 09:49 and the system load is 0%.
220 You will be disconnected after 900 seconds of inactivity.
Name (129.148.10.229:user): admin
331 Admin login OK. Password required.
Password:
230-User admin logged in.
230 Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ascii
200 TYPE is now ASCII
ftp> cd /dvol/etc
250 Changed to /dvol/etc
ftp> lcd /home/user/.ssh
Local directory now /home/user/.ssh
ftp> put id_rsa.pub ssh2auth.key
200 PORT command successful
150 Opening data connection with 129.148.196.112:52749
226 Transfer complete.
local: id_rsa.pub remote: ssh2auth.key
224 bytes sent in 0.00059 seconds (372.66 Kbytes/s)
ftp> quit
221-Goodbye. You uploaded 224 and downloaded 0 bytes.
221 CPU time spent on you: 0.000 seconds.

Things to keep in mind here is that the ftp transfer is done in ASCII mode:

You must cd to the /dvol/etc directory on the 5210/5310 and the local file id_rsa.pub is renamed to ssh2auth.key during the ftp transfer.

Enable ssh on the 5210/5310

Now that we have the key file located on the 5210/5310, ssh must be enabled.
This is done either from a telnet session to the 5210/5310 by entering the following command on the admin commandline:

netserv enable ssh public

or by logging into the GUI and making the following selections:
System Operations
Set Remote Access
Check the ssh box
Push the Apply button
You can now use ssh from the Solaris host to conect to the 5210/5310.

If you supplied a passphrase to the ssh-keygen program, you will be prompted for it at login time. If no passphrase was specified, ssh will establish a commandline session with the 5210/5310

Product
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5210 NAS Appliance

5210, 5310, nas, ssh, configuration, ssh2auth.key
Previously Published As
83144

Change History
Date: 2005-11-09
User Name: 25440
Action: Approved
Comment: Audience changed to contract per FvF http://kmo.central/howto/FvF.html
Put official product name in title. Publishing.
Version: 3
Date: 2005-11-09

Attachments

This solution has no attachment