topic Multi-admin verify and ssh key-based authentication in ONTAP Discussions https://community.netapp.com/t5/ONTAP-Discussions/Multi-admin-verify-and-ssh-key-based-authentication/m-p/455593#M44039 <P>We typically use ssh key-based authentication in our environment for the increased security over password auth. I'm looking into setting up Multi-admin verification for things like volume deletes. However in testing, I noticed that any admin can change any others' public keys, and therefore log in as any other MAV admin.</P><P>&nbsp;</P><P>By default, MAV creates a rule to restrict "security login password", but not to restrict "security login publickey", and you can't add such a rule either:</P><LI-CODE lang="markup">&gt; security multi-admin-verify rule create -operation "security login publickey" -query "-multi-admin-approver true -different-user true" Error: command failed: Operation "security login publickey" is not supported by this feature.</LI-CODE><P>&nbsp;</P><P>This seems like a huge hole, or am I misunderstanding something here?</P> Thu, 03 Oct 2024 16:23:21 GMT LieuentantLefse 2024-10-03T16:23:21Z Multi-admin verify and ssh key-based authentication https://community.netapp.com/t5/ONTAP-Discussions/Multi-admin-verify-and-ssh-key-based-authentication/m-p/455593#M44039 <P>We typically use ssh key-based authentication in our environment for the increased security over password auth. I'm looking into setting up Multi-admin verification for things like volume deletes. However in testing, I noticed that any admin can change any others' public keys, and therefore log in as any other MAV admin.</P><P>&nbsp;</P><P>By default, MAV creates a rule to restrict "security login password", but not to restrict "security login publickey", and you can't add such a rule either:</P><LI-CODE lang="markup">&gt; security multi-admin-verify rule create -operation "security login publickey" -query "-multi-admin-approver true -different-user true" Error: command failed: Operation "security login publickey" is not supported by this feature.</LI-CODE><P>&nbsp;</P><P>This seems like a huge hole, or am I misunderstanding something here?</P> Thu, 03 Oct 2024 16:23:21 GMT https://community.netapp.com/t5/ONTAP-Discussions/Multi-admin-verify-and-ssh-key-based-authentication/m-p/455593#M44039 LieuentantLefse 2024-10-03T16:23:21Z