Oracle ZFS Storage Appliance: On Upgrade to 2013.1.3.0, SSH/SFTP keys are not carried forward during upgrade

Asset ID:	1-72-1960657.1
Update Date:	2018-02-01
Keywords:

Solution Type Problem Resolution Sure

Solution 1960657.1 : Oracle ZFS Storage Appliance: On Upgrade to 2013.1.3.0, SSH/SFTP keys are not carried forward during upgrade

Applies to:

Oracle ZFS Storage ZS3-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-BA - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7320 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-2 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)

Symptoms

Users unable to authenticate in the SFTP environment

Changes

Any upgrade that takes the AK Code Version to 2013.1.3.0 (AK8.3.0) to version 2013.1.5.x (ak8.5.x) just completed.

Cause

Bug 20346380 - Upgrade to 2013.1.3.0 sftp keys are not brought over from previous version.

Bug 20395112 - ssh_authorized_keys are not saved during upgrade

The /var/ak/keystores/SFTP/*/ssh_authorized_keys files are not copied during the code upgrade

Solution

Fixed in 2013.1.6.0.

Please upgrade the Appliance Firmware Release 2013.1.6.2 (or later).

NOTE: The follow statement is in the ak8.7.0 release notes:

SSH Key-Based Authentication
In prior releases, both RSA and DSA/DSS public keys were supported for SSH
authentication. In line with industry best practices, support for the DSA/DSS public key
method (now considered weak) has been permanently removed from this and future
versions of the product. Users requiring key-based authentication must use RSA keys.

Bug 20395112 provides this workflow restore_sftp_keys.akwf to resolve.

The workflow can be downloaded by clicking on the workflow name.

Then this workflow can be downloaded on each array node needing the fix and run through the standard workflow process.

Here are the instructions from the workflow for implementation of the fix:

* This workflow is used to restore sftp keys which are missing after
* upgrading to 2013.1.3.* or later. Any existing keys that are listed
* in the CLI or BUI will not be replaced. Keys added manually by Oracle will be overwritten.
* This workflow MUST be run CONSECUTIVELY on both heads of a cluster so that
* the stash files which were not read in correctly are removed from both heads.
* Please do not run this workflow at the same time on both heads.

------------------------------------------------------------------------------------------------------

The old workaround is listed below for reference:

Currently the solution is this workaround listed below. It must be executed on both heads in a cluster.

The workaround is to mount the previous code version directory where the information is located and manually copy this information over.

An example is given below.

The following example will copy forward the ssh keys, the second example is for the SFTP keys:

zs3-2-array / # \uname -a
SunOS zs3-2-ftlauder-a 5.11 ak/generic@2013.06.05.3.0,1-1.14 i86pc i386 i86pc

zs3-2-array / # awk -F: '{print $6}' /var/ak/etc/passwd | sort -u | grep home
/var/ak/home/aknobody
/var/ak/home/akroot
/var/ak/home/bcstjf
/var/ak/home/ftptest
/var/ak/home/jofletc
/var/ak/home/nieusma
/var/ak/home/oracle_agent
/var/ak/home/root
/var/ak/home/sean
/var/ak/home/test
/var/ak/home/will

zs3-2-array / # ls -l /var/ak/home/*/.ssh/*
-rw-r--r-- 1 root root 3516 Jan 20 19:26 /var/ak/home/root/.ssh/known_hosts

zs3-2-array / # zfs list -o name -r system | grep home
system/ak-nas-2013.06.05.2.6_1-2.2.1.1/install/home
system/ak-nas-2013.06.05.2.6_1-2.2.1.1/running/home
system/ak-nas-2013.06.05.3.0_1-1.14/install/home
system/ak-nas-2013.06.05.3.0_1-1.14/running/home

zs3-2-array / # df -h /var/ak/home
Filesystem Size Used Available Capacity Mounted on
system/ak-nas-2013.06.05.3.0_1-1.14/running/home 819G 79K 644G 1% /var/ak/home

zs3-2-array / # mount -F zfs system/ak-nas-2013.06.05.2.6_1-2.2.1.1/running/home /mnt

zs3-2-array / # ls -l /var/ak/home/*/.ssh/* /mnt/*/.ssh/*
-r-------- 1 nieusma other 612 Jan 20 19:16 /mnt/nieusma/.ssh/authorized_keys

zs3-2-array / # ( cd /mnt; find */.ssh -type f -name authorized_keys | while read f; do cp -p $f /var/ak/home/$f; done )

zs3-2-array / # ls -l /var/ak/home/*/.ssh/* /mnt/*/.ssh/*
-r-------- 1 nieusma other 612 Jan 20 19:16 /mnt/nieusma/.ssh/authorized_keys
-r-------- 1 nieusma root 612 Jan 20 19:31 /var/ak/home/nieusma/.ssh/authorized_keys

zs3-2-array / # umount /mnt

zs3-2-array / # exit

-------------------------------------------------

upgrading from 2013.x to 2013.1.3.0 does not copy the /var/ak/keystores/SFTP/*/ssh_authorized_keys files
workaround:

s7120-b# ls -l /var/ak/keystores/SFTP/*/ssh*
/var/ak/keystores/SFTP/*/ssh*: No such file or directory

s7120-b# zfs list -o name -r system |grep running/var
system/ak-nas-2013.06.05.2.13_1-1.1/running/var
system/ak-nas-2013.06.05.3.0_1-1.14/running/var

s7120-b# mount -F zfs system/ak-nas-2013.06.05.2.13_1-1.1/running/var /mnt

s7120-b# ls -l /mnt/ak/keystores/SFTP/*/
/mnt/ak/keystores/SFTP/dave/:
total 3
-r--r--r-- 1 root root 606 Jan 21 17:39 ssh_authorized_keys

/mnt/ak/keystores/SFTP/jeff/:
total 3
-r--r--r-- 1 root root 606 Jan 21 17:31 ssh_authorized_keys

s7120-b# ( cd /mnt/ak/keystores/SFTP && tar cBf - . ) | ( cd /var/ak/keystores/SFTP/ && tar xpvf - )
tar: blocksize = 12
x ., 0 bytes, 0 tape blocks
x ./dave, 0 bytes, 0 tape blocks
x ./dave/ssh_authorized_keys, 606 bytes, 2 tape blocks
x ./jeff, 0 bytes, 0 tape blocks
x ./jeff/ssh_authorized_keys, 606 bytes, 2 tape blocks
x ./ssh_authorized_keys, 0 bytes, 0 tape blocks

s7120-b# umount /mnt

References

<BUG:20346380> - SSH AUTHORIZED_KEYS ARE NOT SAVED DURING UPGRADE TO 2013.1.3.0
<BUG:20395112> - /VAR/AK/KEYSTORES/SFTP/*/SSH_AUTHORIZED_KEYS ARE NOT SAVED DURING UPGRADE

Attachments

This solution has no attachment