By default, the root role cannot log in remotely with Secure Shell. Historically, root has used Secure Shell for important tasks, such as sending ZFS pool data to storage on a remote system. In this procedure, the root role creates a user who can act as a remote ZFS administrator.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
For example, create the zfsroot user and provide a password.
source # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot source # passwd zfsroot New Password: password Re-enter new password: password passwd: password successfully changed for zfsroot #
dest # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot dest # passwd zfsroot ...
The zfsroot user must be identically defined on both systems.
source # usermod -P +'ZFS File System Management' -S files zfsroot dest # usermod -P +'ZFS File System Management' -S files zfsroot
dest # profiles zfsroot zfsroot: ZFS File System Management Basic Solaris User All
The key pair is created on the source system. Then, the public key is copied to the zfsroot user on the destination system.
# ssh-keygen -t rsa -P "" -f ~/id_migrate Generating public/private rsa key pair. Your identification has been saved in /root/id_migrate. Your public key has been saved in /root/id_migrate.pub. The key fingerprint is: SHA256:BLNj0v9...izsQ cpltester@Local The key's randomart image is: +---[RSA 2048]----+ | o .=B| ...
# scp ~/id_migrate.pub zfsroot@dest: The authenticity of host 'dest (192.0.2.126)' can't be established. RSA key fingerprint is 44:37:ab:4e:b7:2f:2f:b8:5f:98:9d:e9:ed:6d:46:80. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dest,192.0.2.126' (RSA) to the list of known hosts. Password: id_migrate.pub 100% |*****************************| 399 00:00
root@dest # su - zfsroot Oracle Corporation SunOS 5.11 11.1 May 2012 zfsroot@dest $ mkdir -m 700 .ssh zfsroot@dest $ cat id_migrate.pub >> .ssh/authorized_keys
root@source# ssh -l zfsroot -i ~/id_migrate dest \ pfexec /usr/sbin/zfs snapshot zones@test root@source# ssh -l zfsroot -i ~/id_migrate dest \ pfexec /usr/sbin/zfs destroy zones@test
root@source# zfs snapshot -r rpool/zones@migrate-all root@source# zfs send -rc rpool/zones@migrate-all | \ ssh -l zfsroot -i ~/id_migrate dest pfexec /usr/sbin/zfs recv -F zones
root@dest# usermod -P -'ZFS File System Management' zfsroot root@dest# su - zfsroot zfsroot@dest# cp .ssh/authorized_keys .ssh/authorized_keys.bak zfsroot@dest# grep -v root@source .ssh/authorized_keys.bak> .ssh/authorized_keys