I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
Thanks
-Rob
Quoting message received from Robert Borowicz:
I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
http://www.netapp.com/tech_library/3130.html
show it to your dba's and replace rsh with ssh.
Can anyone on this list confirm whether ssh can be used in place of rsh (after purchasing SecureAdmin ofcourse), without requiring the use of a password? It appears to be the case, based on the existence of the options "ssh.pubkey_auth.enable" as well as "ssh.passwd_auth.enable" on my DOT 6.4.5 systems. I'd just like to make sure before buying the SecureAdmin software because I'd rather not bother if I have to stuff the password into an expect script somewhere.
Re:
Date: Wed, 27 Oct 2004 21:07:52 +0200 From: Stefan Funke bundy@arcor-ip.de To: Robert Borowicz rbaus@swbell.net Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
Quoting message received from Robert Borowicz:
I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
http://www.netapp.com/tech_library/3130.html
show it to your dba's and replace rsh with ssh.
You need to create a proper directory structure in your filers' /etc first to access it via ssh without a password:
Create /etc/sshd/<username>/.ssh/authorized_keys and paste the public key of the accessing host in that file. <username> has to be the user on the remote host that is used to transmit the ssh command. I did not find a way to make SecureAdmin or ONTAP create that file automatically yet...
With the option "ssh.pubkey_auth.enable" activated, the user now authenticates without a password.
Thorsten
Brian Parent bparent@calvin.ucsd.edu@mathworks.com on 28.10.2004 01:07:57
Sent by: owner-toasters@mathworks.com
To: Netapp toasters@mathworks.com cc: Subject: Re: ssh scripts
--------------------------------------------------------------------------
Can anyone on this list confirm whether ssh can be used in place of rsh (after purchasing SecureAdmin ofcourse), without requiring the use of a password? It appears to be the case, based on the existence of the options "ssh.pubkey_auth.enable" as well as "ssh.passwd_auth.enable" on my DOT 6.4.5 systems. I'd just like to make sure before buying the SecureAdmin software because I'd rather not bother if I have to stuff the password into an expect script somewhere.
Re:
Date: Wed, 27 Oct 2004 21:07:52 +0200 From: Stefan Funke bundy@arcor-ip.de To: Robert Borowicz rbaus@swbell.net Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
Quoting message received from Robert Borowicz:
I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
http://www.netapp.com/tech_library/3130.html
show it to your dba's and replace rsh with ssh.
COMPUTACENTER (UK) LTD
The contents of this e-mail are intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
Computacenter information is available from http://www.computacenter.com
This footnote also confirms that this email message has been swept for the presence of computer viruses.
***************************************************************************************************************************
We didn't purchase Secure Admin, but I got around that by writing a little client/server app that's bound to a no-password DSA keypair. The server portion limits what actions can be requested by the clients. This way our DB servers can still initiate snapmirror requests, etc -- without using insecure rsh.
I guess this is as good as a time as any to express my dissapointment with NetApp's policy of charging extra money to be able to use ssh. I think that providing a secure remote management capability (ssh) by default should be part of the core offering.
On Wed, 27 Oct 2004, Brian Parent wrote:
Can anyone on this list confirm whether ssh can be used in place of rsh (after purchasing SecureAdmin ofcourse), without requiring the use of a password? It appears to be the case, based on the existence of the options "ssh.pubkey_auth.enable" as well as "ssh.passwd_auth.enable" on my DOT 6.4.5 systems. I'd just like to make sure before buying the SecureAdmin software because I'd rather not bother if I have to stuff the password into an expect script somewhere.
Re:
Date: Wed, 27 Oct 2004 21:07:52 +0200 From: Stefan Funke bundy@arcor-ip.de To: Robert Borowicz rbaus@swbell.net Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
Quoting message received from Robert Borowicz:
I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
http://www.netapp.com/tech_library/3130.html
show it to your dba's and replace rsh with ssh.
avarni@cj.com wrote:
<cut>
I guess this is as good as a time as any to express my dissapointment with NetApp's policy of charging extra money to be able to use ssh. I think that providing a secure remote management capability (ssh) by default should be part of the core offering.
I second this thought about ssh. I was floored when we purchased our NetApp a few years back and I was told I had to use telnet. It's the only telnet open in our organization. I'm surprised they don't make us use the ed text editor too. It really should be bundled as part of the core OS. After all, NetApp get ssh free with the underlying BSD used to power these boxes.
-Tracy
I too am disappointed that NetApp doesn't include ssh as part of the core offering, especially in today's security conscious environment.
I'd like to understand more about your client/server app. I've often been frustrated by the inability to write/compile/run my own code on a NetApp.
Where is your server running, on your NetApp? What language is it in? How did you compile it? How do you run it?
If it's not running on your NetApp, how does your server make the connection to the NetApp without using rsh, and without using SecureAdmin?
Re:
Date: Thu, 28 Oct 2004 11:28:33 -0700 (PDT) From: avarni@cj.com To: Brian Parent bparent@calvin.ucsd.edu Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
We didn't purchase Secure Admin, but I got around that by writing a little client/server app that's bound to a no-password DSA keypair. The server portion limits what actions can be requested by the clients. This way our DB servers can still initiate snapmirror requests, etc -- without using insecure rsh.
I guess this is as good as a time as any to express my dissapointment with NetApp's policy of charging extra money to be able to use ssh. I think that providing a secure remote management capability (ssh) by default should be part of the core offering.
On Wed, 27 Oct 2004, Brian Parent wrote:
Can anyone on this list confirm whether ssh can be used in place of rsh (after purchasing SecureAdmin ofcourse), without requiring the use of a password? It appears to be the case, based on the existence of the options "ssh.pubkey_auth.enable" as well as "ssh.passwd_auth.enable" on my DOT 6.4.5 systems. I'd just like to make sure before buying the SecureAdmin software because I'd rather not bother if I have to stuff the password into an expect script somewhere.
Re:
Date: Wed, 27 Oct 2004 21:07:52 +0200 From: Stefan Funke bundy@arcor-ip.de To: Robert Borowicz rbaus@swbell.net Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
Quoting message received from Robert Borowicz:
I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
http://www.netapp.com/tech_library/3130.html
show it to your dba's and replace rsh with ssh.
bparent@calvin.ucsd.edu (Brian Parent) writes:
I too am disappointed that NetApp doesn't include ssh as part of the core offering, especially in today's security conscious environment.
Looking at the documentation on 7.0RC1, it seems that NetApp have indeed bundled the SecureAdmin function into the core system in that release.
Chris Thompson Email: cet1@cam.ac.uk
On Thu, 28 Oct 2004 20:43:38 +0100 (BST) Chris Thompson wrote:
bparent@calvin.ucsd.edu (Brian Parent) writes:
I too am disappointed that NetApp doesn't include ssh as part of the core offering, especially in today's security conscious environment.
Looking at the documentation on 7.0RC1, it seems that NetApp have indeed bundled the SecureAdmin function into the core system in that release.
Someone using 7.0RC1 in a productive environment?
bundy@arcor-ip.de (Stefan Funke) writes:
On Thu, 28 Oct 2004 20:43:38 +0100 (BST) Chris Thompson wrote:
[...]
Looking at the documentation on 7.0RC1, it seems that NetApp have indeed bundled the SecureAdmin function into the core system in that release.
Someone using 7.0RC1 in a productive environment?
It would be reckless in the extreme to run it in a production environment!
If I had a spare filer I would certainly be playing with it, though. Well, we have a couple of F740s that we are decomissioning, but sadly it seems that 7.0RC1 doesn't support filers that old.
But the documentation at, e.g.
http://now.netapp.com/knowledge/docs/ontap/rel70rc/pdfs/ontap/notesrc1.pdf
makes very intersting reading.
Chris Thompson Email: cet1@cam.ac.uk
Quoting message received from Chris Thompson:
bundy@arcor-ip.de (Stefan Funke) writes:
On Thu, 28 Oct 2004 20:43:38 +0100 (BST) Chris Thompson wrote:
[...]
Looking at the documentation on 7.0RC1, it seems that NetApp have indeed bundled the SecureAdmin function into the core system in that release.
Someone using 7.0RC1 in a productive environment?
It would be reckless in the extreme to run it in a production environment!
Of course - but the same applies to 6.5.1R1 - we ended in several bugs with it and had a few downtimes. And for real: Who has one or more filers to play with new releases?
But the documentation at, e.g.
http://now.netapp.com/knowledge/docs/ontap/rel70rc/pdfs/ontap/notesrc1.pdf
makes very intersting reading.
Ack.
i have an F520 that i could use to play with 7.x ;-)
-- michael
Stefan Funke schrieb am Freitag, den 29. Oktober 2004:
Of course - but the same applies to 6.5.1R1 - we ended in several bugs with it and had a few downtimes. And for real: Who has one or more filers to play with new releases?
But the documentation at, e.g.
http://now.netapp.com/knowledge/docs/ontap/rel70rc/pdfs/ontap/notesrc1.pdf
makes very intersting reading.
We run a seperate management network. I put the on-board ethernet interface on this network. We have a highly secured management server sitting on this network, which is the only one that's allowed rsh/telnet access to the filer.
The goal of this was to give our database servers the ability to trigger snapmirror resyncs, without giving them the ability to do everything else.
The fact that rsh relies on the source IP address for authentication, coupled with the fact that rsh runs over UDP -- means that even if you grant a single host access to your filer, other hosts on that same network can enjoy the same level of access without much effort.
No code is running on the filer. I just wrote a very basic client/server type that runs over ssh using no-password dsa keys. The client, running on the DB servers, connect to the server process running on the management server, to communicate the request.
It's part of a bigger system I wrote to facilitate automated inter-host command execution / data trasnfer without requiring full account equivilency (all too common).
This complicates the process, which somewhat reduces reliability -- but we had spent considerable time hardening our internal production environment. I couldn't just extend a trust relationship to all our DB servers that would allow an attacker who compromised one of them the ability to take control of our filers, which in our case is one of the most critical systems we employ.
It's written in python, and somewhat specific to our environment.
The playbook most attackers follow is very simple: (1) Gain access to a system, (2) leverage that access and any trust relationships discovered to penetrate deeper into the network. Minimizing trust relationships is critical in designing secure, distrubuted systems.
On Thu, 28 Oct 2004, Brian Parent wrote:
I too am disappointed that NetApp doesn't include ssh as part of the core offering, especially in today's security conscious environment.
I'd like to understand more about your client/server app. I've often been frustrated by the inability to write/compile/run my own code on a NetApp.
Where is your server running, on your NetApp? What language is it in? How did you compile it? How do you run it?
If it's not running on your NetApp, how does your server make the connection to the NetApp without using rsh, and without using SecureAdmin?
Re:
Date: Thu, 28 Oct 2004 11:28:33 -0700 (PDT) From: avarni@cj.com To: Brian Parent bparent@calvin.ucsd.edu Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
We didn't purchase Secure Admin, but I got around that by writing a little client/server app that's bound to a no-password DSA keypair. The server portion limits what actions can be requested by the clients. This way our DB servers can still initiate snapmirror requests, etc -- without using insecure rsh.
I guess this is as good as a time as any to express my dissapointment with NetApp's policy of charging extra money to be able to use ssh. I think that providing a secure remote management capability (ssh) by default should be part of the core offering.
On Wed, 27 Oct 2004, Brian Parent wrote:
Can anyone on this list confirm whether ssh can be used in place of rsh (after purchasing SecureAdmin ofcourse), without requiring the use of a password? It appears to be the case, based on the existence of the options "ssh.pubkey_auth.enable" as well as "ssh.passwd_auth.enable" on my DOT 6.4.5 systems. I'd just like to make sure before buying the SecureAdmin software because I'd rather not bother if I have to stuff the password into an expect script somewhere.
Re:
Date: Wed, 27 Oct 2004 21:07:52 +0200 From: Stefan Funke bundy@arcor-ip.de To: Robert Borowicz rbaus@swbell.net Cc: Netapp toasters@mathworks.com Subject: Re: ssh scripts
Quoting message received from Robert Borowicz:
I want to work with our DBA's to put our Oracle instances in Hot Standby to grab snapshots. Anybody got a script they use that utilizes SSH to run the snap command on a filer?
http://www.netapp.com/tech_library/3130.html
show it to your dba's and replace rsh with ssh.
avarni@cj.com writes:
[... much sensible stuff about rsh ...]
The fact that rsh relies on the source IP address for authentication, coupled with the fact that rsh runs over UDP
Gone over the top there! rsh uses TCP to port 514.
No code is running on the filer. I just wrote a very basic client/server type that runs over ssh using no-password dsa keys. The client, running on the DB servers, connect to the server process running on the management server, to communicate the request.
One of the goodies described in the 7.0RC1 documentation is a whole bunch of security controls over which useradmin-defined users can do what (unlike the previous "they are all root except for the name" state). And as said before, ssh/ssl support is bundled in. It will be interesting to see whether that's going to be sufficient to make locally-developed workrounds like yours (and I am sure there are lots of them around) wither away, or not.
Chris Thompson Email: cet1@cam.ac.uk
Aahh... it is, thanks for the correction. It doesn't really change anything in our case though since it's still very easy to spoof a tcp connection when you have access to the local network (which in our case would be very common situation in our threat-models.
I had read about the role based authentication a while ago, but forgotten about it. Can't wait till it's GA!
I actually haven't read the specifics about it. Hopefully you can assign a role using ssh dsa/rsa keys as an authenticator (or other such auth system that doesn't autnenticate in the clear or suffer from MiTM, replay attacks, etc).
Are there lots of other people doing things like this out there? :)
On Tue, 2 Nov 2004, Chris Thompson wrote:
avarni@cj.com writes:
[... much sensible stuff about rsh ...]
The fact that rsh relies on the source IP address for authentication, coupled with the fact that rsh runs over UDP
Gone over the top there! rsh uses TCP to port 514.
No code is running on the filer. I just wrote a very basic client/server type that runs over ssh using no-password dsa keys. The client, running on the DB servers, connect to the server process running on the management server, to communicate the request.
One of the goodies described in the 7.0RC1 documentation is a whole bunch of security controls over which useradmin-defined users can do what (unlike the previous "they are all root except for the name" state). And as said before, ssh/ssl support is bundled in. It will be interesting to see whether that's going to be sufficient to make locally-developed workrounds like yours (and I am sure there are lots of them around) wither away, or not.
Chris Thompson Email: cet1@cam.ac.uk
-
avarni@cj.com -
Brian Parent -
Chris Thompson -
Michael Galloway -
Robert Borowicz -
Stefan Funke -
Thorsten.Lemke@computacenter.com -
Tracy Russell