Contributors netapp-pcarriga netapp-dbagwell

After SSH is enabled on the cluster using the EnableSSH method, you can use the SignSshKeys method to gain access to a shell on a node.

sfreadonly is a new system account as of Element 12.5 that allows for basic troubleshooting on a node. This API enables SSH access using the sfreadonly system account across all nodes in the cluster.

Warning Unless advised by NetApp Support, any alterations to the system are unsupported, voiding your support contract, and may result in instability or inaccessibility of data.

After you use the method, you must copy the keychain from the response, save it to the system that will be initiating the SSH connection, then run the following command:

ssh -i <identity_file> sfreadonly@<node_ip>

identity_file is a file from which the identity (private key) for public key authentication is read and node_ip is the IP address of the node. For more information on identity_file, see the SSH man page.


This method has the following input parameters:

Name Description Type Default value Required


Integer from 1 to 24 reflecting number of hours for signed key to be valid. If duration is not specified, the default is used.





If provided, this parameter will only return the signed_public_key instead of creating a full keychain to the user.

Note Public keys submitted using the URL bar in a browser with + are interpreted as spaced and break signing.





Allows access to the sfadmin shell account when you make the API call with supportAdmin cluster access, or when the node is not in a cluster.




Return values

This method has the following return values:

Name Description Type


Contains the identity in the signed key, the principals allowed, and the valid start and end dates for the key.



A private SSH key value is only returned if the API is generating a complete keychain for the end user.

Note The value is Base64 encoded; you must decode the value when it is written to a file to ensure that it is read as a valid private key.



A public SSH key value is only returned if the API is generating a complete keychain for the end user.

Note When you pass a public_key parameter to the API method, only the signed_public_key value is returned in the response.



The SSH public key that results from signing the public key, whether this was user provided or generated by API.


Request example

Requests for this method are similar to the following example:

    "method": "SignSshKeys",
    "params": {
        "duration": 2,
    "id": 1

Response example

This method returns a response similar to the following example:

  "id": null,
  "result": {
    "signedKeys": {
      "keygen_status": <keygen_status>,
      "signed_public_key": <signed_public_key>

In this example, a public key is signed and returned that is valid for the duration (1-24 hours).

New since version