Saturday, 28 January 2012

NetApp Data ONTAP 8.1 Enabling SFTP Access to /etc

Continuing from a fresh setup of the Data ONTAP 8.1 Simulator ; the following post goes through the steps to enable SFTP Access to /etc without having NFS or CIFS licensed nor enabled. And here we will use WinSCP to connect to /vol/vol0 and browse the /etc folder.

1) Connect to the CLI using the root login
2) From the CLI run the following 5 commands:

options sftp.enable on
options sftp.auth_style unix
options security.admin.authentication nsswitch
wrfile -a /etc/passwd sftpuser:_J9..IMv76dJgB/sqpf.:0:1::/:
wrfile -a /etc/group daemon:*:1:

The 5 lines above –
i: Enables sftp
ii: Sets the sftp authentication style to unix
iii: Sets the security admin authentication to nsswitch
iv: Creates the passwd file with a user sftpuser with password cifs*123 (the string "_J9..IMv76dJgB/sqpf." is generated using the cifs passwd cifs*123 command – see Appendix below.)
v: Creates the group file
*Note that wrfile -a actually appends to a file; if there is no file to append to it will create the file

3) Use WinSCP to connect with the following details:

Host name: {DNS Name or IP Address of your filer}
User name: sftpuser
Password: cifs*123

Fig. 1: WinSCP Login
And we are in!

Fig. 2: /vol/vol0 folder
Appendix: Notes on cifs passwd

The cifs passwd command – used to obtain a correctly formatted password – must be run with CIFS enabled. To temporarily license CIFS, enable CIFS, obtain the correctly formatted password, then disable CIFS and delete the license; run through the following commands:

FILER> license add DZDACHD #cifs
*The above license code works with the 8.1 SIM (for more 8.1 vsim licenses see: http://now.netapp.com/NOW/download/tools/simulator/ontap/8.1/vsim_licenses_810.txt )
FILER> cifs setup
Do you want to make the system visible via WINS? [n]: n
Selection (1-2)? [1]: 2 for Multiprotocol filer
Would you like to change this name? [n]: n
Selection (1-4)? [1]: 4 for /etc/passwd and/or NIS/LDAP authentication
What is the name of the Workgroup? [WORKGROUP]: WORKGROUP
FILER> cifs passwd cifs*123
*Record the output from here and feel free to change the cifs*123 password!
FILER> cifs terminate
FILER> license delete cifs


SEO: The contents of this article may help if you are getting the following error(s) –
[sftp.connection.request.failed:error]: SFTP (SSH File Transfer Protocol) connection request from client system failed because the user is not permitted to do SFTP (SSH File Transfer Protocol) operations
[sshd_2:error]: error: Disconnecting: SFTP connection creation failed

4 comments:

  1. I ran into a problem with that the sftpuser doesnt seem to have a homedir or the wrong permissions to access any files?

    Error message from server: Permission denied
    Request code: 16

    ReplyDelete
  2. great article!! it helped me a lot. thank u

    ReplyDelete
  3. helped me as well.
    thanks

    ReplyDelete
  4. One fairly massive problem is if you set "options security.admin.authentication nsswitch", then none of your local users will be able to login via ssh, or the console (except root).
    It should really read "options security.admin.authentication nsswitch,internal".
    This has taken me a couple of hours to realise and fix, fortunately no-one noticed that I'd broken it.

    ReplyDelete