How to Remotely Administer ZFS With Secure Shell

By default, the root role cannot log in remotely with Secure Shell. Historically, root has used Secure Shell for important tasks, such as sending ZFS pool data to storage on a remote system. In this procedure, the root role creates a user who can act as a remote ZFS administrator.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

1. Create the user on the both systems.

   For example, create the zfsroot user and provide a password.

   source # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot
   source # passwd zfsroot
   Enter password:
   Retype password:
   #

   dest # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot
   dest # passwd zfsroot
   ...

   The zfsroot user must be identically defined on both systems.

2. Create the user's key pair for Secure Shell authentication.

   The key pair is created on the source system. Then, the public key is copied to the zfsroot user on the destination system.

   1. Generate the key pair and put it in the file id_migrate.

      # ssh-keygen -t rsa -P "" -f ~/id_migrate
      Generating public/private rsa key pair.
      Your identification has been saved in /root/id_migrate.
      Your public key has been saved in /root/id_migrate.pub.
      The key fingerprint is:
      3c:7f:40:ef:ec:63:95:b9:23:a2:72:d5:ea:d1:61:f0 root@source

   2. Send the public part of the key pair to the destination system.

      # scp ~/id_migrate.pub zfsroot@dest:
      The authenticity of host 'dest (10.134.76.126)' can't be established.
      RSA key fingerprint is 44:37:ab:4e:b7:2f:2f:b8:5f:98:9d:e9:ed:6d:46:80.
      Are you sure you want to continue connecting (yes/no)? yes
      Warning: Permanently added 'dest,10.134.76.126' (RSA) to the list of known hosts.
      Password:
      id_migrate.pub 100% |*****************************| 399 00:00

3. On both systems, assign the ZFS File Management rights profile to zfsroot.

   source # usermod -P +'ZFS File System Management' -S files zfsroot
   dest # usermod -P +'ZFS File System Management' -S files zfsroot

4. Verify that the destination system is assigned the rights profile.

   dest # profiles zfsroot
   zfsroot:
   ZFS File System Management
   Basic Solaris User
   All

5. On the destination system, move the public part of the key pair to the private /home/zfsroot/.ssh directory.

   root@dest # su - zfsroot
   Oracle Corporation      SunOS 5.11      11.1    May 2012
   zfsroot@dest $ mkdir -m 700 .ssh
   zfsroot@dest $ cat id_migrate.pub >> .ssh/authorized_keys

6. Verify that the configuration works.

   root@source# ssh -l zfsroot -i ~/id_migrate dest \
   pfexec /usr/sbin/zfs snapshot zones@test
   root@source# ssh -l zfsroot -i ~/id_migrate dest \
   pfexec /usr/sbin/zfs destroy zones@test

7. (Optional) Verify that you can create a snapshot and replicate the data.

   root@source# zfs snapshot -r rpool/zones@migrate-all
   root@source#  zfs send -rc rpool/zones@migrate-all | \
   ssh -l zfsroot -i ~/id_migrate dest pfexec /usr/sbin/zfs recv -F zones

8. (Optional) Remove the ability to use the zfsroot account for ZFS administration.

   root@dest# usermod -P -'ZFS File System Management' zfsroot
   root@dest#  su - zfsroot
   zfsroot@dest#  cp .ssh/authorized_keys .ssh/authorized_keys.bak
   zfsroot@dest#  grep -v root@source .ssh/authorized_keys.bak> .ssh/authorized_keys