ONTAP Discussions

Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

sbarnea
10,763 Views

I am trying to load my ssh public key on a netapp instace but it seems that it does not allow me to add my key.

 

 

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username sorins

Error: command failed: invalid operation

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username citrite\sorins

Error: command failed: entry doesn't exist

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username citrite\\sorins

Error: command failed: invalid operation

I need to mention that my username used to login is citrite\\sorins because that's an AD account. The double backslash is required for bash, but I tried various options and it seems that the NetApp gives an useless error, like "invalid operation".

 

 

7 REPLIES 7

YIshikawa
10,645 Views

Have you already created the user(login method entry, exactly) for ssh publickey authentication? Check "security login show".

marcusgross
10,561 Views

Hi,

 

what's the output of:

 

security login show -username sorins

 

M.

 

sbarnea
10,548 Views
lcy2-dosvm01::> security login show -username sorins

Error: "show" is not a recognized command

marcusgross
10,543 Views

Hi,

 

 don't run the command in the context of the svm.

 

sv98hbb1114::> security login show

Error: "show" is not a recognized command

 

sv98hbb1114::> exit

 

sg98hbb1054::> security login show

 

Vserver: sg98hbb1054
Authentication Acct
User/Group Name Application Method Role Name Locked
---------------- ----------- -------------- ---------------- ------

 

...

 

 

M.

GDTechOps
10,319 Views

I am having the same issue.  I get "Error: command failed: entry doesn't exist" with any formulation of my AD username, including double quoted, single quoted, double backslashes, plain, etc.  I have set up the user for other methods of authentication, and can log in fine by using the AD password, but I can not get publickey to work.  I have modified the info below to remove PII.

 

netapp-cluster::> security login show -user-or-group-name domain\user

Vserver: netapp-cluster
                             Authentication                  Acct
User/Group Name  Application Method         Role Name        Locked
---------------- ----------- -------------- ---------------- ------
domain\user       http        domain         admin            -
domain\user       ontapi      domain         admin            -
domain\user       ssh         domain         admin            -
3 entries were displayed.

 

netapp-cluster::> security login publickey create -username doman\user -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> security login publickey create -username doman\\user -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> security login publickey create -username 'doman\user' -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> security login publickey create -username "doman\user" -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> 

GDTechOps
10,309 Views

After seeing a post about this here (http://serverfault.com/questions/729513/now-to-add-ssh-publickey-to-clustered-netapp-for-active-directory-user), I tried adding the authmethod to my user before adding the publickey, but that doesn't work either.

 

 

netapp-cluster::> security login create -user-or-group-name domain\user -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::> security login create -user-or-group-name domain\\user -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::> security login create -user-or-group-name "domain\user" -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::> security login create -user-or-group-name "domain\\user" -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::>

chasb
10,206 Views
Found this on serverfault --- looked like it might be the same OP. Anyway, here is how I got this working on Cluster mode 8.3 (plagiarized from the serverfault posting):

First you have to add publickey authentication as an authentication method for the user you already created:

security login create -vserver mycluster -user-or-group-name billybob -application ssh -authmethod publickey

THEN you can create the public key:

security login publickey create -vserver mycluster -username billybob -publickey "ssh-rsa MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB billybob@examplehost"

SHOW will show you what you got:

security login publickey show -vserver mycluster -username billybob
Vserver: mycluster
UserName: billybob Index: 0
Public Key:
ssh-rsa MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB billybob@examplehost
Fingerprint:
1b:a3:53:9e:a5:ce:e4:b3:f8:65:b2:a5:d4:dc:ed:c4
Bubblebabble fingerprint:
xebon-block-rageg-black-faber-zihik-blink-sovam-crock-zokyb-clock
Comment:
Public