Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.3

Exit Print View

Updated: June 2019
 
 

How to Remotely Administer ZFS With Secure Shell

By default, the root role cannot log in remotely with Secure Shell. Historically, root has used Secure Shell for important tasks, such as sending ZFS pool data to storage on a remote system. In this procedure, the root role creates a user who can act as a remote ZFS administrator.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Create the user on both systems.

    For example, create the zfsroot user and provide a password.

    source # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot
    source # passwd zfsroot
    New Password: password
    Re-enter new password: password
    passwd: password successfully changed for zfsroot
    #
    dest # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot
    dest # passwd zfsroot
    ...

    The zfsroot user must be identically defined on both systems.

  2. On both systems, assign the ZFS File Management rights profile to zfsroot.
    source # usermod -P +'ZFS File System Management' -S files zfsroot
    dest # usermod -P +'ZFS File System Management' -S files zfsroot
  3. Verify that zfsroot on the destination system is assigned the rights profile.
    dest # profiles zfsroot
    zfsroot:
    ZFS File System Management
    Basic Solaris User
    All
  4. Create the user's key pair for Secure Shell authentication.

    The key pair is created on the source system. Then, the public key is copied to the zfsroot user on the destination system.

    1. Generate the key pair and put it in the file id_migrate.
      # ssh-keygen -t rsa -P "" -f ~/id_migrate
      Generating public/private rsa key pair.
      Your identification has been saved in /root/id_migrate.
      Your public key has been saved in /root/id_migrate.pub.
      The key fingerprint is:
      SHA256:BLNj0v9...izsQ cpltester@Local
      The key's randomart image is:
      +---[RSA 2048]----+
      |      o       .=B|
      ...
    2. Send the public part of the key pair to the destination system.
      # scp ~/id_migrate.pub zfsroot@dest:
      The authenticity of host 'dest (192.0.2.126)' can't be established.
      RSA key fingerprint is 44:37:ab:4e:b7:2f:2f:b8:5f:98:9d:e9:ed:6d:46:80.
      Are you sure you want to continue connecting (yes/no)? yes
      Warning: Permanently added 'dest,192.0.2.126' (RSA) to the list of known hosts.
      Password:
      id_migrate.pub 100% |*****************************| 399 00:00
  5. On the destination system, move the public part of the key pair to the private /home/zfsroot/.ssh directory.
    root@dest # su - zfsroot
    Oracle Corporation      SunOS 5.11      11.1    May 2012
    zfsroot@dest $ mkdir -m 700 .ssh
    zfsroot@dest $ cat id_migrate.pub >> .ssh/authorized_keys
  6. Verify that the configuration works.
    root@source# ssh -l zfsroot -i ~/id_migrate dest \
    pfexec /usr/sbin/zfs snapshot zones@test
    root@source# ssh -l zfsroot -i ~/id_migrate dest \
    pfexec /usr/sbin/zfs destroy zones@test
  7. (Optional) Verify that you can create a snapshot and replicate the data.
    root@source# zfs snapshot -r rpool/zones@migrate-all
    root@source#  zfs send -rc rpool/zones@migrate-all | \
    ssh -l zfsroot -i ~/id_migrate dest pfexec /usr/sbin/zfs recv -F zones
  8. (Optional) Remove the ability to use the zfsroot account for ZFS administration.
    root@dest# usermod -P -'ZFS File System Management' zfsroot
    root@dest#  su - zfsroot
    zfsroot@dest#  cp .ssh/authorized_keys .ssh/authorized_keys.bak
    zfsroot@dest#  grep -v root@source .ssh/authorized_keys.bak> .ssh/authorized_keys