ONTAP Discussions

Multi-admin verify and ssh key-based authentication

LieuentantLefse
267 Views

We typically use ssh key-based authentication in our environment for the increased security over password auth. I'm looking into setting up Multi-admin verification for things like volume deletes. However in testing, I noticed that any admin can change any others' public keys, and therefore log in as any other MAV admin.

 

By default, MAV creates a rule to restrict "security login password", but not to restrict "security login publickey", and you can't add such a rule either:

> security multi-admin-verify rule create -operation "security login publickey" -query "-multi-admin-approver true -different-user true"

Error: command failed: Operation "security login publickey" is not supported by this feature.

 

This seems like a huge hole, or am I misunderstanding something here?

0 REPLIES 0
Public