Network and Storage Protocols

SSH key authentication using domain users? Then how about SFTP?

audifreakjim
6,971 Views

We cannot seem to get this to work with domain users.

We are using this KB as a guide to setup passwordless ssh

https://kb.netapp.com/support/index?page=content&id=1011670

It is working for root and local users.

For domain users we have tested both naming conventions for folder names in /etc/sshd

/etc/sshd/username@domainname/.ssh/authenticated_keys

/etc/sshd/domainname\username/.ssh/authenticated_keys

It finds the keys, but ONTAP spits back:

     User 'lab.demo\administrator' denied access - missing required capability: 'login-ssh'

Two separate environments with the same results.  Again, we can get local users to work so the keys are good, and with domain users it is finding the keys.

I have tried useradmin group modify administrators -r admin,root to give maximum permissions, but still no luck.  Just the default role of admin should be sufficient..

So getting SSH to work is one thing, but we are really trying to get passwordless SFTP working.  Here is the error when we try with a domain user.  The Authentication type for SFTP is mixed, we have also tried with NTLM

     SFTP (SSH File Transfer Protocol) connection request from client system xxx.xxx.xxx.xxx, user lab.demo\administrator failed, because the user is not permitted to do SFTP (SSH File Transfer Protocol) operations.

Has anyone successfully implemented passwordless SFTP using domain credentials? Is this even supported?

1 ACCEPTED SOLUTION

columbus_admin
6,971 Views

This post is a bit old, but this KB(for SSH breaking when roles change) has the info you need.  Any ssh based authentication, with AD accounts is not supported in ONTAP, and believe me I really wish it were.  We have ran into a bug recently(2 months ago) and this KB was brought up to us as still being correct.

Cause

Data ONTAP does not support key exchange with Active Directory Accounts.

Solution

Use local filer accounts for SSH key exchange to avoid this issue. NetApp does not currently support key exchange with Active Directory accounts.

https://kb.netapp.com/support/index?page=content&id=2012318

View solution in original post

4 REPLIES 4

columbus_admin
6,972 Views

This post is a bit old, but this KB(for SSH breaking when roles change) has the info you need.  Any ssh based authentication, with AD accounts is not supported in ONTAP, and believe me I really wish it were.  We have ran into a bug recently(2 months ago) and this KB was brought up to us as still being correct.

Cause

Data ONTAP does not support key exchange with Active Directory Accounts.

Solution

Use local filer accounts for SSH key exchange to avoid this issue. NetApp does not currently support key exchange with Active Directory accounts.

https://kb.netapp.com/support/index?page=content&id=2012318

audifreakjim
6,972 Views

Thanks for clearing this up!

JERROD_FINN
6,972 Views

Actually you can do this.  I've set it up and use it daily.  Send me a message and I'll explain if you are interested.

PC70
6,421 Views

What was the fix?


@JERROD_FINN wrote:

Actually you can do this.  I've set it up and use it daily.  Send me a message and I'll explain if you are interested.


 

Public