ONTAP Discussions

Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

sbarnea

I am trying to load my ssh public key on a netapp instace but it seems that it does not allow me to add my key.

 

 

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username sorins

Error: command failed: invalid operation

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username citrite\sorins

Error: command failed: entry doesn't exist

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username citrite\\sorins

Error: command failed: invalid operation

I need to mention that my username used to login is citrite\\sorins because that's an AD account. The double backslash is required for bash, but I tried various options and it seems that the NetApp gives an useless error, like "invalid operation".

 

 

7 REPLIES 7

Re: Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

YIshikawa

Have you already created the user(login method entry, exactly) for ssh publickey authentication? Check "security login show".

Re: Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

marcusgross

Hi,

 

what's the output of:

 

security login show -username sorins

 

M.

 

Re: Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

sbarnea
lcy2-dosvm01::> security login show -username sorins

Error: "show" is not a recognized command

Re: Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

marcusgross

Hi,

 

 don't run the command in the context of the svm.

 

sv98hbb1114::> security login show

Error: "show" is not a recognized command

 

sv98hbb1114::> exit

 

sg98hbb1054::> security login show

 

Vserver: sg98hbb1054
Authentication Acct
User/Group Name Application Method Role Name Locked
---------------- ----------- -------------- ---------------- ------

 

...

 

 

M.

Re: Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

GDTechOps

I am having the same issue.  I get "Error: command failed: entry doesn't exist" with any formulation of my AD username, including double quoted, single quoted, double backslashes, plain, etc.  I have set up the user for other methods of authentication, and can log in fine by using the AD password, but I can not get publickey to work.  I have modified the info below to remove PII.

 

netapp-cluster::> security login show -user-or-group-name domain\user

Vserver: netapp-cluster
                             Authentication                  Acct
User/Group Name  Application Method         Role Name        Locked
---------------- ----------- -------------- ---------------- ------
domain\user       http        domain         admin            -
domain\user       ontapi      domain         admin            -
domain\user       ssh         domain         admin            -
3 entries were displayed.

 

netapp-cluster::> security login publickey create -username doman\user -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> security login publickey create -username doman\\user -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> security login publickey create -username 'doman\user' -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> security login publickey create -username "doman\user" -index 0 -publickey "blah"

Error: command failed: entry doesn't exist

netapp-cluster::> 

Re: Enabling ssh publickey authenticaiton on Clustered Data ONTAP for Active Directory users

GDTechOps

After seeing a post about this here (http://serverfault.com/questions/729513/now-to-add-ssh-publickey-to-clustered-netapp-for-active-directory-user), I tried adding the authmethod to my user before adding the publickey, but that doesn't work either.

 

 

netapp-cluster::> security login create -user-or-group-name domain\user -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::> security login create -user-or-group-name domain\\user -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::> security login create -user-or-group-name "domain\user" -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::> security login create -user-or-group-name "domain\\user" -application ssh -authmethod publickey -role admin -vserver netapp-cluster

Error: command failed: failed to set field "username" to "domain\\user"
       Username does not meet configured requirements:
       Invalid character in username "\". Valid characters: A-Z, a-z, 0-9, ".", "_", and "-". Note that the username cannot start
       with "-".

netapp-cluster::>

Found this on serverfault --- looked like it might be the...

chasb
Found this on serverfault --- looked like it might be the same OP. Anyway, here is how I got this working on Cluster mode 8.3 (plagiarized from the serverfault posting):

First you have to add publickey authentication as an authentication method for the user you already created:

security login create -vserver mycluster -user-or-group-name billybob -application ssh -authmethod publickey

THEN you can create the public key:

security login publickey create -vserver mycluster -username billybob -publickey "ssh-rsa MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB billybob@examplehost"

SHOW will show you what you got:

security login publickey show -vserver mycluster -username billybob
Vserver: mycluster
UserName: billybob Index: 0
Public Key:
ssh-rsa MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB billybob@examplehost
Fingerprint:
1b:a3:53:9e:a5:ce:e4:b3:f8:65:b2:a5:d4:dc:ed:c4
Bubblebabble fingerprint:
xebon-block-rageg-black-faber-zihik-blink-sovam-crock-zokyb-clock
Comment:
Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public