0

I am trying to load my ssh public key on a netapp instace but it seems that it does not allow me to add my key.

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username sorins

Error: command failed: invalid operation

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username domain\sorins

Error: command failed: entry doesn't exist

Attempt 2 

lcy2-dosvm01::security login publickey> load-from-uri -uri http://pastebin.com/raw.phpi=mgB0Vq3x -username domain\\sorins

Error: command failed: invalid operation

Attempt 3

    lcy2-dosvm01::security login publickey> security login publickey> create -username citrite\sorins -index 0 -publickey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfoZsNvyBlZJYuLSz+qw4xunkjETo6NElkYw5dCEFl6W5JDVZRjN3ClVHKDzEa2+S9jGzdRC3nlWA5vVRIvH/tX5tT+rLxkr6rgEiSajvwq5fpmla53cFX9W/y6qhL8tz//1Q3BskJS/NUPy8oUdRk7bcSrLyLJaDJxmf1HEE7k3TJ7+9sCEqBWnpQpFWUrTdaPQZISSy172P+beWVCuZQ69mowJ1/6h7czcd+HoZwe3v6qpkjbCmx9FTCYWuua2n7BcMzB5Hh5y4ovNab9zBKoUviOdBpC3ut159WVgQmpnOHPem0whNTxhADEcEcl6HfMi/MqZi6gmjx2ZkaiJpnHL0y1M/4qaEQemsgvEeFZDdJDdG1x42rw5e5vzh4OHAhGEKfA8NCcIWyd9wgusJoatyS/KKybmZ0Q0YOOB5AhDknaClRueBHkvg3vLB6sE47RlFgXTwZrS9N1pl89/4xX6dcnugTPxLm+BqqeUaDKeV81PEao4RVOxuvnTPVKjJhaWuvfmp65ZFQlQYiGWQ7latPEMaYLYwlvgTKBayPwZJJkEGRMjlY/6qWGQWkKzjhgRlgLwHcwLj3GPbxX4vmIsgqBI06NngETWztR71hU/CUz+ZGKQsZjhxqXZkueeW2iLFtGPggGawKgEbhx0eRHBnxrKzPuYDD8BF3q8o71w== Sorin Sbarnea 20150723"

Error: "publickey>" is not a recognized command

I need to mention that my username used to login is domain\\sorins because that's an AD account. The double backslash is required for bash, but I tried various options and it seems that the NetApp gives an useless error, like "invalid operation".

sorin
  • 8,016
  • 24
  • 79
  • 103
  • That's the correct syntax. Are you sure that your URI is correct and that you can reach it from the cluster management LIF? Try to ping the IP address of the URI using `net ping`. – Basil Oct 16 '15 at 20:37
  • Does `security login domain-tunnel show` show that your user is tunneling properly? – Basil Oct 16 '15 at 20:43
  • Never mind, I think I found your problem, posting it in an answer – Basil Oct 16 '15 at 20:44
  • It doesn't work as it tries to look for username in the list which it doesn't find and gives error –  Oct 17 '16 at 23:12

3 Answers3

1

From the manual about authentication methods for user accounts, it looks like domain and publickey are two separate authentication methods. I can't find anything about how to use them at the same time. There's only one authmethod parameter per login method, as far as I can tell, so if your login method is ssh, your authmethod can be either domain or publickey. See also the man page for security login create.

Basil
  • 8,851
  • 3
  • 38
  • 73
  • Still investigating this, so far I was not able to find a solution... – sorin Oct 20 '15 at 11:32
  • My point is that I don't think you can do what you're trying to do. – Basil Oct 21 '15 at 11:27
  • We have managed to bodge a solution to this in 7mode. I don't know if it's applicable to CDOT though. It involves renaming a directory to something invalid under Windows. – Sobrique Nov 09 '15 at 14:46
1

Have recently had to do this. Note - this is for 7-mode, I don't know for sure if it'll work with CDOT. But I'm posting it because we did definitely get ssh public key working with domain user accounts.

There is a way, but it's a bit on the nasty side - you see, you do need to have a 'ssh' directory that matches your Domain name - and that means you do need a directory name with a backslash in it!

  • Generate a key pair with ssh-keygen -t dsa (might want rsa - but older versions of filer like dsa better)
  • Copy id_dsa.pub to your filer 'vol0' under /etc/sshd/<username>/ssh/authorized_keys
  • Log in to the filer via ssh
  • rename the directories:
    • mv /etc/sshd/username/ssh /etc/sshd/username/.ssh
    • mv /etc/sshd/username /etc/sshd/DOMAIN\username
  • It will look like an 'old style' filename from Windows e.g. DOMAIN~1

You should then be able to set your default login name on ssh to DOMAIN\username

I would assume this would work for CDOT, but might take a degree of hackery to get to the right place. (I can't say for sure I'm afraid - I don't run CDOT - but this is posted in case it's relevant/useful).

Sobrique
  • 3,747
  • 2
  • 15
  • 36
  • CDOT doesn't have the same concept of a directory structure for a SVM- it might still be possible to hack it in, but not by changing /etc on a node. – Basil Nov 10 '15 at 17:27
0

Here is what I got working with 8.3:

First you have to add publickey authentication as an authentication method for the user you already created:

Cluster::> security login create -vserver <vserver> -user-or-group-name <username> -application ssh -authmethod publickey

THEN you can create the public key:

Cluster::> security login publickey create -vserver <vserver> -username <username> -index 0 -publickey "ssh-rsa MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB username@examplehost"

From your description it looks like you need to create the authentication method first.

Dan Janssen
  • 1