Re: Is it possible to use Hashicorp Vault ssh plugin for One Time Password generation with ONTAP?

JonathanAlexander · ‎2021-06-04

We are looking at the possibility to use Hashicorp vault manage ONTAP local account access and auditing.

One method Vault offers is an SSH Secrets Engine that can generate a one time password when an authorized user requests it.

more info on Vault OTP configuration can be found here:
https://learn.hashicorp.com/tutorials/vault/ssh-otp

Essentially this method requires downloading a vault-ssh-helper executable and storing it in the usr/local/bin location on the host that you want Vault to manage ssh secrets for. Some modifications of the /etc/pam.d/ssh and /etc/ssh/sshd_config files to leverage the vault ssh helper is also required.

Before digging too much deeper into this approach, is this something that would be possible with ONTAP? And would it be a supported configuration?

Thanks in advance

paul_stejskal · ‎2021-06-07

There's support for KMIP looks like. I don't think modifying SSH config works like that, so I would talk to the account team and see about what is needed to get a supported configuration. I don't think it's impossible, but definitely the account team can reach out to internal resources to get confirmation or a fPVR if needed.

Is it possible to use Hashicorp Vault ssh plugin for One Time Password generation with ONTAP?

Join us in Vegas, September 23-25