SSH is a secure and convenient method for automating scripts on remote servers. On UNIX and Linux machines, setup of SSH is almost trivial; however, on Windows it is more challenging. PuTTY's Plink tool can be used to automate SSH actions on Windows. The plink tool has some specific initialization requirements on Windows machines to make it usable from the DPX script interface. This article covers how to use the Windows command "plink", which is included in the PuTTY suite of utilities. This is not meant to be a comprehensive review of the plink command usage. It specifically covers how to enable required host keys for use with the DPX script engine.

Step By Step

PuTTY is a freely available third party SSH client for Windows platforms. You can get the latest PuTTY from its official website:

Note.Catalogic Software does not provide technical support for third party executables. Use of third party executables is at your own risk.

plink.exe can be used in a Windows batch script to automate running remote scripts through SSH. This is especially helpful with automating NetApp operations and triggering additional scripts on UNIX and Linux hosts. A typical command looks like this:

plink -ssh -l root -pw "<password>" <IPv4 address or host name> "<command>"

A more specific example is:

plink -ssh -l root -pw "password" "reboot"

On compatible UNIX/Linux systems, this command causes the remote machine at address to immediately reboot.

When you first run plink from the Windows command line to a new host, a message similar to the following appears:

The server's host key is not cached in the registry. You have no guarantee that
↪ the server is the computer you think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 768 d1:1a:29:c0:6d:71:db:3b:36:7b:c1:01:b5:da:ca:d8
If you trust this host, enter "y" to add the key to PuTTY's cache and carry on 
If you want to carry on connecting just once, without adding the key to the ca
↪che, enter "n".
If you do not trust this host, press Return to abandon the connection.
Store key in cache? (y/n)

This is an interactive prompt that you cannot get around. If you select y, a host key is cached in the Windows registry, and for this host the key fingerprint question is not asked again. If you select n, the key is not cached, and this question appears each time you try to connect to this host.

Plink caches these host keys in the user's profile within the HKEY_CURRENT_USER registry. This area of the registry is specific to the current login; it persists between login sessions, but these values are not shared with other users of the system.

This is where the issue exists. The default account used for DPX is 'Local System account.' Review this setting by going to the Windows service manager. In the service manager, find the cmagent service, right-click and select properties, and then review the "Log On" tab. For DPX to use plink effectively, a host key must be cached within the HKEY_CURRENT_USER registry for the indicated cmagent service login account. The problem is that 'Local System account' has no direct way to log into the console and easily seed these values.

Two possibilities exist:

  • Create an administrator account which has full access to all the local machine hardware and supported application interfaces

  • Use "Local System account"

In general, the easier method is to create an administrator account which has full access to all the local machine hardware and supported application interfaces. A local machine administrator or a domain administrator account typically works, although any account suffices if it has the necessary permissions for DPX backup and restore operations to work properly. Once the account is created, do the following:

  1. Go into the Windows service manager and change the DPX services (especially cmagent) to use this new account. Test a data protection job to ensure that this account works for DPX.

  2. Log in under this account and bring up a command shell. For each host you need to connect to, invoke plink -ssh <user>@<host name>, and when prompted about the key fingerprint, answer y to cache the value. No other commands are needed; you can exit any interactive shells that are invoked.

The necessary values are cached in the following registry path:

Comments (0)