ONTAP Discussions

MFA for SSH access to OnTap

DinoBob

I have been reading about this lately. It says in the documentation that only local accounts are supported but also seeems to say that LDAP/NIS are supported. I maintain an Active Directory domain in my enterprise, and while domain authentication is not supported for MFA/SSH, could I instead configure LDAP to point to my AD domain and leverage that to support MFA for CLI access via SSH? We use Ping MFA.

 

Thanks.  

3 REPLIES 3

CHRISMAKI

My take on the documentation is that no matter what method of primary authentication you're using, local account or LDAP/NIS, the second factor can only be publickey. If you want to use an external Identity Provider other than AD/LDAP/NIS, the only applications supported are http and ontapi, not ssh. You can verify this yourself by going to the command line and typing:

 

security login create -user-or-group-name "domain\group" -application ontapi -authentication-method ?

Then do the same as above but swap ontapi for any of the other applications.

DinoBob

Thanks. We use Active Directory accounts for administration.  It does not seem that they can be used for password/publickey authentication. But could we configure accounts for LDAP and point that LDAP to AD, and leverage that for MFA for SSH connections? That way we could still use our AD accounts to connect and still get MFA.

CHRISMAKI

Hi Bob,

 

You're right, if you're using domain as your primary authentication method for ssh, there is not secondary option. If you're using local account or nsswitch as your primary method, then you can use publickey for your secondary.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public