ONTAP Discussions

MFA for SSH access to OnTap

DinoBob
3,616 Views

I have been reading about this lately. It says in the documentation that only local accounts are supported but also seeems to say that LDAP/NIS are supported. I maintain an Active Directory domain in my enterprise, and while domain authentication is not supported for MFA/SSH, could I instead configure LDAP to point to my AD domain and leverage that to support MFA for CLI access via SSH? We use Ping MFA.

 

Thanks.  

3 REPLIES 3

CHRISMAKI
3,556 Views

My take on the documentation is that no matter what method of primary authentication you're using, local account or LDAP/NIS, the second factor can only be publickey. If you want to use an external Identity Provider other than AD/LDAP/NIS, the only applications supported are http and ontapi, not ssh. You can verify this yourself by going to the command line and typing:

 

security login create -user-or-group-name "domain\group" -application ontapi -authentication-method ?

Then do the same as above but swap ontapi for any of the other applications.

DinoBob
3,519 Views

Thanks. We use Active Directory accounts for administration.  It does not seem that they can be used for password/publickey authentication. But could we configure accounts for LDAP and point that LDAP to AD, and leverage that for MFA for SSH connections? That way we could still use our AD accounts to connect and still get MFA.

CHRISMAKI
3,507 Views

Hi Bob,

 

You're right, if you're using domain as your primary authentication method for ssh, there is not secondary option. If you're using local account or nsswitch as your primary method, then you can use publickey for your secondary.

Public