Enable SSH multifactor authentication (MFA)

Contributors

Starting with ONTAP 9.3, you can use the security login create command to enhance security by requiring that administrators log in to an admin or data SVM with both an SSH public key and a user password.

What you’ll need

You must be a cluster administrator to perform this task.

About this task
  • You must associate the public key with the account before the account can access the SVM.

    You can perform this task before or after you enable account access.

  • If you are unsure of the access control role that you want to assign to the login account, you can use the security login modify command to add the role later.

  • The user is always authenticated with public key authentication followed by password authentication.

Step
  1. Require local administrator accounts to access an SVM using SSH MFA:

    security login create -vserver SVM -user-or-group-name user_name -application ssh -authentication-method password|publickey -role admin -second-authentication-method password|publickey

    The following command requires the SVM administrator account admin2 with the predefined admin role to log in to the SVMengData1 with both an SSH public key and a user password:

    cluster-1::> security login create -vserver engData1 -user-or-group-name admin2 -application ssh -authentication-method publickey -role admin -second-authentication-method password
    
    Please enter a password for user 'admin2':
    Please enter it again:
    Warning: To use public-key authentication, you must create a public key for user "admin2".
After you finish

If you have not associated a public key with the administrator account, you must do so before the account can access the SVM.