Enable SSH multifactor authentication (MFA)
Starting with ONTAP 9.3, you can use the
security login create command to enhance security by requiring that administrators log in to an admin or data SVM with both an SSH public key and a user password.
You must be a cluster administrator to perform this task.
You must associate the public key with the account before the account can access the SVM.
You can perform this task before or after you enable account access.
If you are unsure of the access control role that you want to assign to the login account, you can use the
security login modifycommand to add the role later.
The user is always authenticated with public key authentication followed by password authentication.
Require local administrator accounts to access an SVM using SSH MFA:
security login create -vserver SVM -user-or-group-name user_name -application ssh -authentication-method password|publickey -role admin -second-authentication-method password|publickey
The following command requires the SVM administrator account
admin2with the predefined
adminrole to log in to the SVM
engData1with both an SSH public key and a user password:
cluster-1::> security login create -vserver engData1 -user-or-group-name admin2 -application ssh -authentication-method publickey -role admin -second-authentication-method password Please enter a password for user 'admin2': Please enter it again: Warning: To use public-key authentication, you must create a public key for user "admin2".
If you have not associated a public key with the administrator account, you must do so before the account can access the SVM.