SSH is a secure and convenient method for automating scripts on remote servers. On UNIX and Linux machines, setup of SSH is almost trivial; however, on Windows it is more challenging. PuTTY's plink" command can be used to automate SSH actions on Windows. "plink" has some specific initialization requirements on Windows machines to make it usable from the DPX script interface. This article covers how to use the Windows command "plink", which is included in the PuTTY suite of utilities. This is not meant to be a comprehensive review of "plink" use. It specifically covers how to enable required host keys for use with the DPX script engine. "

Step By Step

PuTTY is a freely available third party SSH client for Windows platforms. At the time of this writing, PuTTY is available at:

Catalogic Software does not provide technical support for third party executables. Use of third party executables is at your own risk.

"plink.exe" can be used in a Windows batch script to automate running remote scripts through SSH. This is especially helpful with automating NetApp operations and triggering additional scripts on UNIX and Linux hosts. A typical command looks like this:

plink -ssh -l root -pw "password" host-name command

A more specific example is:

plink -ssh -l root -pw "password" "reboot"

On compatible UNIX/Linux systems, this command causes the remote machine at address to immediately reboot.

When you first run plink from the Windows command line to a new host, a message similar to the following appears:

The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 768 d1:1a:29:c0:6d:71:db:3b:36:7b:c1:01:b5:da:ca:d8
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
Store key in cache? (y/n)


This is an interactive prompt that you cannot get around. If you select 'y', a host key is cached in the Windows registry, and for this host the key fingerprint question is not asked again. If you select 'n', the key is not cached, and this question appears each time you try to connect to this host.

"plink" caches these host keys in the user's profile within the HKEY_CURRENT_USER registry. This area of the registry is specific to the current login; it persists between login sessions, but these values are not shared with other users of the system.

This is where the issue exists. The default account used for DPX is 'Local System account.' Review this setting by going to the Windows service manager. In the service manager, find the cmagent service, right-click and select properties, and then review the "Log On" tab. For DPX to use plink effectively, a host key must be cached within the HKEY_CURRENT_USER registry for the indicated cmagent service login account. The problem is that 'Local System account' has no direct way to log into the console and easily seed these values.

Two possibilities exist:

  • Create an administrator account which has full access to all the local machine hardware and supported application interfaces
  • Use "Local System account"

In general, the easier method is to create an administrator account which has full access to all the local machine hardware and supported application interfaces. A local machine administrator or a domain administrator account typically works, although any account suffices if it has the necessary permissions for DPX backup and restore operations to work properly. Once the account is created, do the following:

    1. Go into the Windows service manager and change the DPX services (especially cmagent) to use this new account. Test a data protection job to ensure that this account works for DPX.
    2. Log in under this account and bring up a command shell. For each host you need to connect to, invoke "plink -ssh user@host-name", and when prompted about the key fingerprint, answer 'y' to cache the value. No other commands are needed; you can exit any interactive shells that are invoked.

    The necessary values are cached in: