Enable SSH public key accounts

Contributors netapp-forry netapp-ahibbard

You can use the security login create command to enable administrator accounts to access an admin or data SVM with an SSH public key.

What you’ll need

You must be a cluster administrator to perform this task.

About this task
  • You must associate the public key with the account before the account can access the SVM.

    You can perform this task before or after you enable account access.

  • If you are unsure of the access control role that you want to assign to the login account, you can use the security login modify command to add the role later.

If you want to enable SSL FIPS mode on a cluster where administrator accounts authenticate with an SSH public key before accessing SVMs, you must ensure that the host key algorithm is supported before enabling FIPS.

Note: Host key algorithm support has changed in ONTAP 9.11.1 and later releases.

ONTAP release

Supported key types

Unsupported key types

9.11.1 and later

ecdsa-sha2-nistp256

rsa-sha2-512
rsa-sha2-256
ssh-ed25519
ssh-dss
ssh-rsa

9.10.1 and earlier

ecdsa-sha2-nistp256
ssh-ed25519

ssh-dss
ssh-rsa

Existing SSH public key accounts without the supported key algorithms must be reconfigured with a supported key type before enabling FIPS, or the administrator authentication will fail.

For more information, see Configure network security using FIPS.

Step
  1. Enable local administrator accounts to access an SVM using an SSH public key:

    security login create -vserver SVM_name -user-or-group-name user_or_group_name -application application -authmethod authentication_method -role role -comment comment

    For complete command syntax, see the worksheet.

    The following command enables the SVM administrator account svmadmin1 with the predefined vsadmin-volume role to access the SVMengData1 using an SSH public key:

    cluster1::>security login create -vserver engData1 -user-or-group-name svmadmin1 -application ssh -authmethod publickey -role vsadmin-volume
After you finish

If you have not associated a public key with the administrator account, you must do so before the account can access the SVM.