ONTAP Discussions

Login over SSH - missing required capability

rozle_palcar
7,956 Views

Hello,

 

On one of our systems (FAS2040, DOT 8.1.3) we started to get errors about missing 'login-ssh' capability. Even if we create new user with administrative privileges we can't connect over SSH. Only 'root' and 'administrator' users are capable of connecting to system.

 

Here is overview of one of users with which we have problems:

 

User:

Name: splunkuser
Info:
Rid: 131081
Groups: Administrators

 

Group:

Name: Administrators
Info: Members can fully administer the filer
Rid: 544
Roles: root,admin

 

Roles:

Name:    admin
Info:    Default role for administrator privileges.
Allowed Capabilities: login-*,cli-*,api-*,security-*

 

 

Any ideas what could be problem? I tried to manually add 'login-ssh' role to this and other users, but it is the same. I also tried creating new user, but we hit same issue.

 

On partner node there is the same configuration of users, groups and roles and everything is working ok.

 

 

Best Regards,

Rozle

 

 

4 REPLIES 4

MOHIT_FUJITSU
7,831 Views

First, login directly to the filer and then try SSH from the unix host.

rozle_palcar
7,829 Views

It is the same - looks like it doesn't even recognize password. I am 100% sure password entered was correct, because I changed it with 'passwd' 10s before:

 

[xxx: sshd_2:info]: Failed password for splunkuser from xxxxxxxxxxx port 60446ssh2

 

And when we have login with key, we got:

 

[xxx:useradminx.unauthorized.user:warning]: User 'splunkuser' denied access - missing required capability: 'login-ssh'

 

 

JGPSHNTAP
7,818 Views

Your splunkuser role is messed up... 

 

You need to follow the splunk document for the app for splunk to make sure that you give it the rights perms for the app to work properly.

Vidhs
5,353 Views

Noticed the same issue for me too.

 

User created in administrator group couldn't login while it can on the partner node without issues.

 

Upon all comparisions, noticed this change in options for 'security.admin.authentication'

 

 

Not working : security.admin.authentication nsswitch

 

working one : security.admin.authentication internal

 

 

changed this option to internal and could see user loggin in without any issues and resolves the problem.

Public