Tuesday, August 2, 2016

Remotely SSH into Data Domain Without Entering A Password - Client Side Scripting

This method uses private/public key pairs to allow remote login without entering a password. The private key is generated on the client and the public key will be stored on the Data Domain. Login from the client to the Data Domain is authenticated using the private key.

Use Case: Client side scripting. I would like to check capacity space by script daily on the Data Domain and write the output to a file.

Client name and version: Linux (CentOS), linuxsrv1
Data Domain name and version: DDOS 5.7, dd3

Create private/public key pair on the client

[root@linuxsrv1 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): press enter
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
Enter passphrase (empty for no passphrase): press enter
Enter same passphrase again: press enter
Your identification has been saved in /root/.ssh/id_dsa.

Note. Pressing enter above stores the private key unencrypted on the local filesystem

[root@linuxsrv1 ~]# ls .ssh
id_dsa  id_dsa.pub  id_rsa  id_rsa.pub  known_hosts

Display the public key. Copy the public key and you will paste it into the Data Domain
[root@linuxsrv1 ~]# cat .ssh/id_dsa.pub

Add public key to the Data Domain

From your client, SSH into the Data Domain, enter your password, accept the connecting question. Paste the public key and make sure there are no spaces (starting with ssh-dss)

sysadmin@dd3# adminaccess add ssh-keys
Enter the key and then press Control-D, or press Control-C to cancel.
SSH key accepted.

Once added you can verify by showing the key with this command

sysadmin@dd3# adminaccess show ssh-keys
sysadmin@dd3#  exit

Verify no password login

From Client, verify that the login requires no password

[root@linuxsrv1 ~]# ssh sysadmin@dd3.payneb.com
Data Domain OS
Last login: Tue Jul 26 09:08:19 CDT 2016 from linuxsrv1.payneb.com on pts/1
Welcome to Data Domain OS

From my Linux client I am now able to run DDOS commands and schedule them via cron without a password.

[root@linuxsrv1 ~]# ssh sysadmin@dd3.payneb.com 'filesys show space'
Data Domain OS
Active Tier:
Resource           Size GiB    Used GiB   Avail GiB   Use%  
Cleanable GiB*
----------------   --------   ---------   ---------   ----   --------------
/data: pre-comp           -   1369449.4           -      -                -
/data: post-comp   173224.4     98201.9     75022.5    57%           6753.2
/ddvar                 29.5         5.9        22.1    21%                -
/ddvar/core            31.5         0.2        29.7     1%          
----------------   --------   ---------   ---------   ----   ------
 * Estimated based on last cleaning of 2016/07/22 20:12:45.

1 comment:

  1. Excellent - just gave me the right info to get myself set up. I had previously 'given up' trying to configure this as you can only add SSH keys to local accounts on the DD.
    Did not occur to me to add the ssh key to a local user on the DD, and just update my script to ssh as that local user. Problem? Solved