Skip to main content
Cluster and storage switches

Enable SSH on BES-53248 cluster switches

Contributors netapp-yvonneo netapp-jolieg
PDFs

If you are using the Ethernet Switch Health Monitor (CSHM) and log collection features, you must generate the SSH keys and then enable SSH on the cluster switches.

Steps

  1. Verify that SSH is disabled:

    show ip ssh

    Show example 
    (switch)# show ip ssh

SSH Configuration

Administrative Mode: .......................... Disabled
SSH Port: ..................................... 22
Protocol Level: ............................... Version 2
SSH Sessions Currently Active: ................ 0
Max SSH Sessions Allowed: ..................... 5
SSH Timeout (mins): ........................... 5
Keys Present: ................................. DSA(1024) RSA(1024) ECDSA(521)
Key Generation In Progress: ................... None
SSH Public Key Authentication Mode: ........... Disabled
SCP server Administrative Mode: ............... Disabled

    • If SSH is not disabled, disable it as follows:

      no ip ssh server enable

      no ip scp server enable

      Note

      • For EFOS 3.12 and later, console access is required as active SSH sessions are lost when SSH is disabled.

      • For EFOS 3.11 and earlier, current SSH sessions are kept open after disabling the SSH server.
      Warning Make sure that you disable SSH before you modify the keys, otherwise, a warning is reported on the switch.

  2. In config mode, generate the SSH keys:

    crypto key generate

    Show example 
    (switch)# config

(switch) (Config)# crypto key generate rsa

Do you want to overwrite the existing RSA keys? (y/n): y


(switch) (Config)# crypto key generate dsa

Do you want to overwrite the existing DSA keys? (y/n): y


(switch) (Config)# crypto key generate ecdsa 521

Do you want to overwrite the existing ECDSA keys? (y/n): y

  3. In config mode, set AAA authorization for ONTAP log collection:

    aaa authorization commands "noCmdAuthList" none

    Show example 
    (switch) (Config)# aaa authorization commands "noCmdAuthList" none
(switch) (Config)# exit

  4. Re-enable SSH/SCP.

    Show example 
    (switch)# ip ssh server enable
(switch)# ip scp server enable
(switch)# ip ssh pubkey-auth

  5. Save these changes to the startup-config:

    write memory

    Show example 
    (switch)# write memory

This operation may take a few minutes.
Management interfaces will not be available during this time.
Are you sure you want to save? (y/n) y

Config file 'startup-config' created successfully.

Configuration Saved!

  6. Encrypt the SSH keys (for FIPS-mode only):

    Caution In FIPS mode, the keys are required to be encrypted with a passphrase for security. In the absence of an encrypted key, the application fails to start. The keys are created and encrypted using the following commands:
    Show example 
    (switch) configure
(switch) (Config)# crypto key encrypt write rsa passphrase <passphase>

The key will be encrypted and saved on NVRAM.
This will result in saving all existing configuration also.
Do you want to continue? (y/n): y

Config file 'startup-config' created successfully.

(switch) (Config)# crypto key encrypt write dsa passphrase <passphase>

The key will be encrypted and saved on NVRAM.
This will result in saving all existing configuration also.
Do you want to continue? (y/n): y

Config file 'startup-config' created successfully.

(switch)(Config)# crypto key encrypt write ecdsa passphrase <passphase>

The key will be encrypted and saved on NVRAM.
This will result in saving all existing configuration also.
Do you want to continue? (y/n): y

Config file 'startup-config' created successfully.

(switch) (Config)# end
(switch)# write memory

This operation may take a few minutes.
Management interfaces will not be available during this time.
Are you sure you want to save? (y/n) y

Config file 'startup-config' created successfully.

Configuration Saved!

  7. Reboot the switch:

    reload

  8. Verify that SSH is enabled:

    show ip ssh

    Show example 
    (switch)# show ip ssh

SSH Configuration

Administrative Mode: .......................... Enabled
SSH Port: ..................................... 22
Protocol Level: ............................... Version 2
SSH Sessions Currently Active: ................ 0
Max SSH Sessions Allowed: ..................... 5
SSH Timeout (mins): ........................... 5
Keys Present: ................................. DSA(1024) RSA(1024) ECDSA(521)
Key Generation In Progress: ................... None
SSH Public Key Authentication Mode: ........... Enabled
SCP server Administrative Mode: ............... Enabled
What's next?

Configure switch health monitoring.