One of my powers users as role based restricted access to the FAS using a ssh-rsa 2048 public key only. This previously worked OK we started at ONTAP 9.1, then 9.2 and until recently was on 9.3P4 all working OK for about 2 years.
The Problem:
The user can nolonger access the FAS using the pubkey. I suspect but I cannot be certain this broke when we updated to
9.4.P3 in December 2018. The error is: key type ssh-rsa not in PubkeyAcceptedKeyTypes . I also tried a new key ssh-ed25519 both have the same error. See below:
--------------
00000018.001cc78e 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
00000018.001cc78f 0dcc3fa7 Sat Mar 02 2019 12:04:13 +00:00 [auth_sshd:info:8218] userauth_pubkey: key type ssh-ed25519 not in PubkeyAcceptedKeyTypes
--------------
The ssh keys are good, I checked the fingerprint at both end and tested to other servers (Linux / AIX) both worked with the keys OK. Also SSH password based access to the FAS works fine. The MFA second authentication method is set to none.
Question:
1) As anybody seen this before. I am struggling to get any good hits googling using the error message for ONTAP.
Linux hits indicate sshd_config can be updated to allow key types removed at later SSH 7.x levels. For example to
allow ssh-dss which was removed from the defaults at openssh 7.x.
2) I cannot see any means of querying or modifying the ONTAP (FAS) settings for PubkeyAcceptedKeyTypes.
I am able to log a support ticket via the NETAPP Partner IBM who provide our L1/L2 support before it esculates to NETAPP directly via IBM if they cannot resolve it. However I want to ask in the community first and potentially build a stronger testcase to demonstrate the problem.