How do I configure a CIFS only NetApp filer for ssh public-private key access?

Question

I've a NetApp filer that's running exclusively CIFS. (/vol/vol0 is CIFS exported) Account logins via ssh are possible as DOMAIN\username, but we're having difficulty with configuring ssh public-private key pairs.

Normally we'd create an authorized_keys file in order to allow access, but can't figure out the account mapping. (Filer login as DOMAIN\username works, but not as just username)

How do we go about setting this up?

Answer 1

The thing that you're missing is that the filer is being very literal in terms of finding an authorized_keys file. Specifically it looks in:

/etc/sshd/username/.ssh/authorized_keys

The problem here is - you need to set username to DOMAIN\username which isn't a valid windows filename. (Creating a directory called .ssh is problematic too) You can do this from the box, using mv though.

1. Log in to your linux box.
2. Generate a public-private key pair with ssh-keygen -t rsa
3. open the 'vol0' cifs export \\filername\c$ from a windows host.
4. Create a directory etc/sshd/<username>/ssh
5. Create a file in this directory authorized_keys
6. paste into this file the contents of id_rsa.pub from your linux box. (Can also use PuTTY keys).
7. Log into the filer via ssh (you'll still need your password)
8. mv /etc/sshd/<username>/ssh /etc/sshd/<username>/.ssh
9. mv /etc/sshd/<username> /etc/sshd/<DOMAIN\username>
10. This will look like DOMAIN~1 or similar on your Windows box, because it's not a valid filename.
11. priv set -q advanced; ls /etc/sshd will show you it correctly.
12. log out

13. Add to your linux box .ssh/config:

    Host *
        User DOMAIN\username
    

14. Verify you can now ssh using ssh filername version. No password should be requested.

You can troubleshoot be looking in /vol0/etc/log/auditlog.

Answer 2

The way I do it is:

secureadmin setup ssh

This creates \filer\etc$\sshd for you.