Network and Storage Protocols

ssh as a domainuser to filer / rsa pubkey in cygwin

aoral
6,420 Views

Hi all,

my filer is in the windows domain WIN.

I can connect from cygwin with "ssh -l WIN\\user filer" - this works.

Now I want to generate and distribute my RSA key to filer with the following steps:

## generate the rsa key (using an empty passphrase)

ssh-keygen -t rsa

## copy the generated rsa key to my filer (via nfs mount)

cp -v  ~/.ssh/id_rsa.pub  /filer/etc/sshd/user/.ssh/authorized_keys

Now when I try to login with "ssh -v -l WIN\\user filer" or "ssh -i id_rsa.pub -v -l WIN\\user filer"  I cannot connect with my "empty passphrase",

I have to type in my password.

Any ideas?

Thanks,

Arda

11 REPLIES 11

aborzenkov
6,391 Views

Does it work if you use “ssh -l user” (skip domain part)?

aoral
6,391 Views

yes, but I get:

filer> help

Permission denied, user XXX does not have access to ?

filer> Thu Aug 23 13:23:35 CEST [filer: useradmin.unauthorized.user:warning]: User 'XXX' denied access - missing required capability: 'cli-?'

But if I connect with WIN\user and enter the password I have access to all commands.

aborzenkov
6,391 Views

Have you tried to put key in directory with full name, i.e. sshd/WIN\user/.ssh/authorized_keys?

Note that backslash is actual part of name.

aoral
6,391 Views

Yes, sure I tried that.

No help

edward_king
6,391 Views

Arda Oral wrote:

yes, but I get:

filer> help

Permission denied, user XXX does not have access to ?

filer> Thu Aug 23 13:23:35 CEST [filer: useradmin.unauthorized.user:warning]: User 'XXX' denied access - missing required capability: 'cli-?'

But if I connect with WIN\user and enter the password I have access to all commands.

Have you granted the cli- capabilities to the user you attempting to access as? The error above seems to indicate that user is not a member of a role that has these capabilities granted. You would need to use useradmin to add the user to a role that has cli capabilities granted or create a custom role for the user with those capabilities granted.

aborzenkov
6,391 Views

You probably misunderstand the problem. Real user (domain user) does have the required capabilities, but there does not appear to be any way to let SSH authenticate domain user using public key. I could not find any information in documentation or knowledge base.

If you try to login as domain user using full domain name, public key authentication does not work. If you try to strip domain part, you can use public key, but in this case NetApp apparently does not see this user as domain user (and does not grant capabilities).

STO_DC_STORAGE
4,794 Views

I'am running against the same problem every day.

I add my ssh-key in pageant and try a 'ssh filer date' and it states:

[filer: useradmin.unauthorized.user:warning]: User 'win\user' denied access - missing required capability: 'cli-date'

Now I remove my ssh key from pageant and run the same command again and it asks for my password (which I expect it to do). It grants me access and executes the command 'date'.

Somewhere on the road it now can identify me as 'win\user' and sees that I'am allowed to execute the command.

I then add my ssh-key again in pageant. Execute the command again and voila, the command works.

I have to do above sequence every day, for some reason the filer resets my credentials every day.

I have several filers to manage, but only one gives me this behaviour. I searched through all options and files but I can't see any difference.

Do you have any clue?

aborzenkov
4,794 Views

Try using eccentric to display information about your user before and after you did password login. When using public key, there is no way to verify your user. I suspect, logging in using password caches login information for later use.

Using GSS-API with Kerberos may provide a solution if filer supports it.

Отправлено с iPhone

21.01.2013, в 20:00, "STO DC Storage" <xdl-communities@communities.netapp.com<mailto:xdl-communities@communities.netapp.com>> написал(а):

<https://communities.netapp.com/index.jspa>

Re: ssh as a domainuser to filer / rsa pubkey in cygwin

created by STO DC Storage<https://communities.netapp.com/people/sto.dc.storage> in Data ONTAP - View the full discussion<https://communities.netapp.com/message/98679#98679>

I'am running against the same problem every day.

I add my ssh-key in pageant and try a 'ssh filer date' and it states:

: User 'win\user' denied access - missing required capability: 'cli-date'

Now I remove my ssh key from pageant and run the same command again and it asks for my password (which I expect it to do). It grants me access and executes the command 'date'.

Somewhere on the road it now can identify me as 'win\user' and sees that I'am allowed to execute the command.

I then add my ssh-key again in pageant. Execute the command again and voila, the command works.

I have to do above sequence every day, for some reason the filer resets my credentials every day.

I have several filers to manage, but only one gives me this behaviour. I searched through all options and files but I can't see any difference.

Do you have any clue?

Reply to this message by replying to this email -or- go to the message on NetApp Community<https://communities.netapp.com/message/98679#98679>

Start a new discussion in Data ONTAP by email<mailto:discussions-community-products_and_solutions-data_ontap@communities.netapp.com> or at NetApp Community<https://communities.netapp.com/choose-container.jspa?contentType=1&containerType=14&container=2877>

SBLANKENSHIP
6,391 Views

I tried this a few years ago but found that the only private key I could use was for "root". I didn't try any other local accounts as I was only interested in using my domain account or stay with root but it could be possible to use another local account. I am still interested to find out if this is possible to use a domain account with pub/priv key authentication. I would bet that another local account could use the authroized_keys for authentication but domain accounts can't due to the way it wants to use kerberos authentication and needs your password to do so. The secret key is good enough for the underlying BSD authentication module but not good enough to get a session ticket from a domain controller as the private key is not associated with active directory like your password.

aborzenkov
6,391 Views

Yes, I came to the same conclusion as well. I guess the only way to enable passwordless login in this case would be Kerberos, but as far as I can tell it is not supported by NetApp for user authentication.

netapplem
6,391 Views

I have been successful with using local account (as our site does not allow 'root' access), but I have not spent any time attempting to connect via my domain account.

Public