ONTAP Discussions

Is it possible to use Hashicorp Vault ssh plugin for One Time Password generation with ONTAP?

JonathanAlexander

We are looking at the possibility to use Hashicorp vault manage ONTAP local account access and auditing.

One method Vault offers is an SSH Secrets Engine that can generate a one time password when an authorized user requests it.  

 

more info on Vault OTP configuration can be found here:
https://learn.hashicorp.com/tutorials/vault/ssh-otp

Essentially this method requires downloading a vault-ssh-helper executable and storing it in the usr/local/bin location on the host that you want Vault to manage ssh secrets for.   Some modifications of the /etc/pam.d/ssh and /etc/ssh/sshd_config files to  leverage the vault ssh helper is also required.

Before digging too much deeper into this approach, is this something that would be possible with ONTAP?  And would it be a supported configuration?

Thanks in advance

1 REPLY 1

Re: Is it possible to use Hashicorp Vault ssh plugin for One Time Password generation with ONTAP?

paul_stejskal

There's support for KMIP looks like. I don't think modifying SSH config works like that, so I would talk to the account team and see about what is needed to get a supported configuration. I don't think it's impossible, but definitely the account team can reach out to internal resources to get confirmation or a fPVR if needed.

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public