Enabling SSH multifactor authentication (MFA)

Starting with ONTAP 9.3, you can use the security login create command to enhance security by requiring that administrators log in to an admin or data SVM with both an SSH public key and a user password.

Before you begin

You must be a cluster administrator to perform this task.

About this task

Procedure

Require local administrator accounts to access an SVM using SSH MFA: security login create -vserver SVM -user-or-group-name user_name -application ssh -authentication-method password|publickey -role admin -second-authentication-method password|publickey

The following command requires the SVM administrator account admin2 with the predefined admin role to log in to the SVM engData1 with both an SSH public key and a user password:

cluster-1::> security login create -vserver engData1 -user-or-group-name admin2 -application ssh -authentication-method publickey -role admin -second-authentication-method password

Please enter a password for user 'admin2':
Please enter it again:
Warning: To use public-key authentication, you must create a public key for user "admin2".

After you finish

If you have not associated a public key with the administrator account, you must do so before the account can access the SVM.

Associating a public key with a user account