How to Setup Plink for (clustered) ONTAP


1) Download plink.exe, pscp.exe, putty.exe, puttygen.exe from:

Image: plink.exe and associated downloads

2) Place the files in your C:\Windows folder

Image: plink.exe and associated files in C:\Windows
Note: This allows us to run the binaries from any path in DOS or PowerShell. Any path that’s specified in System Properties > Advanced > Environment Variables > System variables > Path would do. If corporate restrictions on you system prevent you using C:\Windows, or modifying the System Path, you will need to make adjustments to the content in this post.

3) A quick test from DOS (or PowerShell) :\>

plink -ssh -x -a -l admin -pw PASSWORD CLUSTER_NAME_IP "version"


Note: If you have not connected over SSH from the workstation to CLUSTER before, this connection will fail because the clusters RSA2 key has not been cached on the workstation. Make an initial connection with PuTTY and then try again.

4) Run puttygen to generate a public/private key pair.

i) Ensure ‘Type of key to generate’ is set to SSH-2 RSA and ‘number of bits in a generated key’ is 1024.

ii) Click Generate

Image: PuTTY Key Generator
Note: If you don’t set bits to 1024, you could get “Failed to generate Fingerprint for the publickey.”

iii) Leave the passphrase blank and save the private key to C:\Windows as something like puttygen_20150618_priv_key.ppk

iv) Leave PuTTY Key Generator open for now (or you can save the public key), since we’ll need to copy and paste that into (clustered) ONTAP

5) Create a login in (c.) ONTAP ::>

security login create -username USERNAME -application ssh -authmethod publickey -role admin

{Replace USERNAME}

6) Create a login publickey in (c.) ONTAP ::>

security login publickey create -username USERNAME -index 1 -publickey "<-copy-and-paste-here-the-public-key-from-earlier->"


CLU01::> security login publickey create -username ADMINPK -index 1 -publickey "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAs6xBkTG/zukvKrPMqdC5JW7KWiw46vlOBZYOQiJDqqOa7T6YYGnqzUsKjOrLLp5O3X5H0BkTHv5C2LEvcb49y3o3IYDvs/g361tXvRNl18FI9T5sIQFd8NEcebei9UK0NTi7wzRbpYGSQYvqgYv9Yzs+mKP/ibxZUJcEqC1iRl8= rsa-key-20150618"

7) Test it works :\>

plink -ssh -x -a -l USERNAME CLUSTER_NAME_IP -I c:\windows\puttygen_20150618_priv_key.ppk "version"


C:\>plink -ssh -x -a -l ADMINPK -i c:\windows\puttygen_20150618_priv_k
ey.ppk "version"
NetApp Release 8.2.2P1 Cluster-Mode: Wed Oct 08 05:09:35 PDT 2014

Now you can make batch files - or something else ;-) - and run your Clustershell commands non-interactively over SSH!

Note: I use the -x and -a switches above, but it will work fine without them.

APPENDIX: Plink Switches (Plink Help Output)

Plink: command-line connection utility
Release 0.64

Usage: plink [options] [user@]host [command]
       ("host" can also be a PuTTY saved session name)


-V        print version information and exit
-pgpfp    print PGP key fingerprints and exit
-v        show verbose messages
-load sessname  Load settings from saved session
-ssh -telnet -rlogin -raw -serial
    force use of a particular protocol
-P port   connect to specified port
-l user   connect with specified username
-batch    disable all interactive prompts
-sercfg configuration-string (e.g. 19200,8,n,1,X)
    Specify the serial configuration (serial only)

The following options only apply to SSH connections:

-pw passw login with specified password
-D [listen-IP:]listen-port
    Dynamic SOCKS-based port forwarding
-L [listen-IP:]listen-port:host:port
    Forward local port to remote address
-R [listen-IP:]listen-port:host:port
    Forward remote port to local address
-X -x     enable / disable X11 forwarding
-A -a     enable / disable agent forwarding
-t -T     enable / disable pty allocation
-1 -2     force use of particular protocol version
-4 -6     force use of IPv4 or IPv6
-C        enable compression
-i key    private key file for user authentication
-noagent  disable use of Pageant
-agent    enable use of Pageant
-hostkey aa:bb:cc:...
    manually specify a host key (may be repeated)
-m file   read remote command(s) from file
-s        remote command is an SSH subsystem (SSH-2 only)
-N        don't start a shell/command (SSH-2 only)
-nc host:port

    open tunnel in place of session (SSH-2 only)