Accessing BCDR appliances via SSH

Topic

This article describes the process of establishing a secure remote connection to a Datto Business Continuity and Disaster Recovery (BCDR) appliance's Command-Line Interface (CLI) by using the Remote Web SSH Server.

This information applies to all Datto appliances running IRIS 3 (Ubuntu 16.04) and above.

Environment

  • Datto SIRIS
  • Datto ALTO
  • Datto NAS

Description

Overview

Datto has released the Remote Web SSH Server as a faster, more efficient, and more secure method of remotely managing the advanced features of your Datto appliance. By leveraging OTP authentication, you can control access to your Datto device on a session-by-session basis, without the risks associated with an unlocked SSH configuration.

System Requirements

To connect to the Remote Web SSH Server, you will need to use an SSH client. The examples in this article use Xshell 5, but you may use any SSH client capable of successfully completing the following steps.

Networking Requirements

allowlist Requirements

Requirements for the Datto device:

  • 162.244.87.1/24, port 443 and port 80
  • 206.201.136.1/24 port 80
  • 27.111.249.1/24 port 80
  • 198.137.225.1/24, port 80, port 2200 for fallback in case there is a web firewall

Requirements for communication from your SSH client to the Remote Web SSH Server:

  • 206.201.136.1/24, port 22

Connection Process

NOTE  The authentication process described in this section requires an active Datto Partner-level (log in required) account with permission to access the Remote Web SSH Server.

  1. Via your SSH client, establish a connection to ssh partner@partner-ssh.datto.com.

NOTE  Some SSH clients do not require you to use the ssh arguments in the connection command. If you are experiencing connection failures, attempt to connect without using the ssh argument.


Figure 1: Connecting to partner-ssh.datto.com

  1. When prompted, enter partner as the authentication password. The password prompt may appear in your terminal window, or as a separate dialog box, depending on your configuration.


Figure 2: SSH User Authentication prompt

  1. The SSH session will generate a one-time authentication key, and display a preformatted URL in the terminal window (shown in Figure 3). Copy and paste the URL into the address bar of your Internet browser.


Figure 3: SSH OTP link

  1. When you navigate to the authentication portal if prompted to log in, enter the Partner Portal credentials of a user on the account associated with the Datto device.
  2. When prompted, click Approve Authorization to allow the SSH session access to the Remote Web SSH Server. Optionally, you can Reject the request, which will immediately disconnect the SSH session.

Figure 4: Approve Authorization

  1. Return to your SSH client window. You will see a menu similar to the example shown in Figure 5.

Figure 5: Remote Web SSH Server landing page menu

  1. You can connect to any Datto appliances on the reseller account by the connect command. You can specify a device to connect to by using its device ID, hostname, or serial number.

NOTE  If it is more convenient, you can use 'c' or 'sd' in place of the word 'connect.'


Figure 6: Connecting to a Datto appliance using its hostname

  1. When the session connects, you will be logged into the Datto appliance as the root user, and you will be able to manage the device by using commands.

Additional Remote Web SSH Server options

The list command will show all devices associated with the reseller account.

NOTE  The list command can list up to 10 devices. If you have more than ten devices assigned to a reseller account, only the first ten will be listed. To find and connect to a device not listed, you will need to enter the device's name, serial number, or device ID manually.

You can view all active connections to a device by using the show command:


Figure 7: Using the show command to display active connection details.

You can repair an active connection to a device by using the repair command or close the connection with the close command.


Figure 8: Repairing and closing a connection

To log out of a device and return to the Remote Web SSH Server, type exit.


Figure 9: Logging out of a device

Troubleshooting

Remote Web SSH Server Error Messages

Under certain conditions, you may be unable to connect to a Datto appliance through an SSH server. If this occurs, the SSH server will return an error message. These error messages, and their meanings, are as follows:

  • Could not find matching clients: The account logged into the SSH server does not have rights to the device, or the device does not meet the minimum system requirements to connect to the server (Ubuntu 16.04, OS version of 3.53.17 or higher).
  • Client not found. It may not be checking in: The tracker has never seen this client, likely due to networking or authentication key conditions preventing the client from connecting to the tracker.

NOTE  Even if the Partner Portal shows that a device is checking in, if the appliance is failing to check in with its SSH server trackers, the SSH server will consider the check-in a failure.

  • Waiting for connection...Giving up. Cannot connect: The tracker communication is okay, but the relay host cannot establish a tunnel with the Datto device, probably due to networking issues establishing an SSH tunnel over port 80 or 2200.

    This error message can also indicate that the rly-client service is not running. If you are able to connect to the Datto appliance through a different method, run the command systemctl status rly-client. If you see output similar to the following, the rly-client service is not running:
    root@KM-SB2000:~# systemctl status rly-client
    ? rly-client.service - RLY Client Service
    Loaded: loaded (/lib/systemd/system/rly-client.service; enabled; vendor preset: enabled)
    Active: inactive (dead) since Fri 2017-08-11 10:32:48 EDT; 2s ago
    Main PID: 3038 (code=exited, status=0/SUCCESS)

    Run the systemctl start rly-client to restart the service, and then use systemctl status rly-client to verify that the service restarted successfully. If the service restarted without issue, you should see output similar to the following:
    root@KM-SB2000:~# systemctl status rly-client
    ? rly-client.service - RLY Client Service
    Loaded: loaded (/lib/systemd/system/rly-client.service; enabled; vendor preset: enabled)
    Active: active (running) since Fri 2017-08-11 10:36:00 EDT; 2s ago
    Main PID: 21278 (rly)