2019-03-02 05:16 AM
One of my powers users as role based restricted access to the FAS using a ssh-rsa 2048 public key only. This previously worked OK we started at ONTAP 9.1, then 9.2 and until recently was on 9.3P4 all working OK for about 2 years.
The user can nolonger access the FAS using the pubkey. I suspect but I cannot be certain this broke when we updated to
9.4.P3 in December 2018. The error is: key type ssh-rsa not in PubkeyAcceptedKeyTypes . I also tried a new key ssh-ed25519 both have the same error. See below:
00000018.001cc78e 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
00000018.001cc78f 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes
The ssh keys are good, I checked the fingerprint at both end and tested to other servers (Linux / AIX) both worked with the keys OK. Also SSH password based access to the FAS works fine. The MFA second authentication method is set to none.
1) As anybody seen this before. I am struggling to get any good hits googling using the error message for ONTAP.
Linux hits indicate sshd_config can be updated to allow key types removed at later SSH 7.x levels. For example to
allow ssh-dss which was removed from the defaults at openssh 7.x.
2) I cannot see any means of querying or modifying the ONTAP (FAS) settings for PubkeyAcceptedKeyTypes.
I am able to log a support ticket via the NETAPP Partner IBM who provide our L1/L2 support before it esculates to NETAPP directly via IBM if they cannot resolve it. However I want to ask in the community first and potentially build a stronger testcase to demonstrate the problem.
Solved! See The Solution
2 REPLIES 2
Re: ONTAP 9.4 SSH Public Key Access Broken ( key type ssh-rsa not in PubkeyAcceptedKeyTypes)
2019-04-02 12:52 AM
2019-04-02 01:09 AM
Only got this fully resolved yesterday. It appears a change was made at 9.4 P3 that stops RSA and ED25519 keys
from working to the admin SVM. Switching to ECDSA keys resolved the problem.
Message seen in log was:
00000018.0025399a 0f15eef9 Wed Mar 27 2019 12:14:42 +00:00 [auth_sshd:info:29433] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes [preauth]