Skip to main content

Enable SSH public key accounts

Contributors netapp-forry netapp-ahibbard

You can use the security login create command to enable administrator accounts to access an admin or data SVM with an SSH public key.

About this task
  • You must associate the public key with the account before the account can access the SVM.

    You can perform this task before or after you enable account access.

  • If you are unsure of the access control role that you want to assign to the login account, you can use the security login modify command to add the role later.

If you want to enable FIPS mode on your cluster, existing SSH public key accounts without the supported key algorithms must be reconfigured with a supported key type. The accounts should be reconfigured before you enable FIPs or the administrator authentication will fail.

The following table indicates host key type algorithms that are supported for ONTAP SSH connections. These key types do not apply to configuring SSH public authentication.

ONTAP release

Key types supported in FIPS mode

Key types supported in non-FIPS mode

9.11.1 and later

ecdsa-sha2-nistp256

ecdsa-sha2-nistp256
rsa-sha2-512
rsa-sha2-256
ssh-ed25519
ssh-dss
ssh-rsa

9.10.1 and earlier

ecdsa-sha2-nistp256
ssh-ed25519

ecdsa-sha2-nistp256
ssh-ed25519
ssh-dss
ssh-rsa

Note Support for the ssh-ed25519 host key algorithm is removed beginning with ONTAP 9.11.1.

For more information, see Configure network security using FIPS.

Before you begin

You must be a cluster administrator to perform this task.

Step
  1. Enable local administrator accounts to access an SVM using an SSH public key:

    security login create -vserver SVM_name -user-or-group-name user_or_group_name -application application -authmethod authentication_method -role role -comment comment

    For complete command syntax, see the worksheet.

    The following command enables the SVM administrator account svmadmin1 with the predefined vsadmin-volume role to access the SVMengData1 using an SSH public key:

    cluster1::>security login create -vserver engData1 -user-or-group-name svmadmin1 -application ssh -authmethod publickey -role vsadmin-volume
After you finish

If you have not associated a public key with the administrator account, you must do so before the account can access the SVM.