ONTAP Multifactor Authentication (MFA) for ssh

In my last blog, 2-Factor GUI authentication with SAML IdP was demonstrated. To complete 2-Factor with the command line, this blog covers multifactor authentication (MFA) for the CLI. 

Many ONTAP users already have publickey setup for passwordless ssh.  If you do, MFA is really easy since MFA uses both a password and publickey.  Just add the secondary method in step 3 below, and it is setup.  We will cover how to setup a publickey for a Linux or MacOS client with ssh-keygen, and for Windows with puttygen.exe.  We will use usernames “admin” for publickey and “admin2” for MFA to an ONTAP 9.7P4 cluster with a cluster management IP of 192.168.150.230.

1.    PUBLICKEY password-less SSH (Linux/MacOS)

  • This feature does NOT work when FIPS is enabled
  • Using “admin” for the example below
  • ssh-keygen is used to build the keys

Linux client

ssh-keygen -t rsa

When asked for a ‘passphrase’, do not enter one, press “ENTER” three times

Test Password Connectivity to the NetApp cluster (before public key setup)

ssh admin@192.168.150.230 security login show

“yes” to accept the fingerprint

Enter the password (we won’t need this after we are done)

cat ~/.ssh/id_rsa.pub               # we will paste this into the cluster next

ONTAP

Enable Public/Private SSH Keys for passwordless access for the admin user

security login create -username admin -application ssh -authmethod publickey -profile admin

security login show

Create the public key (pasted from above)

security login publickey create -username admin -index 1 -publickey ” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOODKTWGiWHrx2CDfblqd4QG7PGqRlb4I9KQ3uSu+mOEuDls7+HffkdRwieiSnG1fM8g2D/HYeSE7vf7ybkCDfbKyGCJKQfot+cmr08ELFiR5f8qi6eQFYvgfQuOUj2G3UzcUby/soDVnupye4eJKKld5JbiWD6zJt8l17trq20s9I8CWX6KTXyOWTYd/TXF9Rt1pDfPWX9cUDZTM3xFPWJUPCfgw3/5IgCm2oBhcXeC6XDNbRIUcxQYT20J1HaK8ER20PU9pzAkH3LDBnLjm62Ow9g9l+2gwGoU/7XAMva3IPj415WiC95JNoel7PnnlXd1G8fxxqBTTcinZaPzTRKG//m+bHWXZcPfHwy/qF3qHO9sJY/0EZlGcJYq1EMriZxJiOpFtcaQzSkKkxcTa/z3QPVpVaw5u+w5lEXZfl0BLPXuyRmatN+BEDnIoUVGL67q/56+ll8yPhStBoxgFe6EDd+k8Eoy8tht3Qa09Y3bQ3fm9U7AN4eFA/lGkqQUM= root@linux1.lab2.local”

NOTE you can also load from a URI

::> security login publickey load-from-uri -username admin -uri file://localhost/mroot/id_rsa.pub  or http://ip/path/id_rsa.pub  [-overwrite false]

  • for file:// scp the file to /mroot on one node
    • OR – create key for user (copy/paste – using uri method can be easier as shown above)

Confirm user and key

security login publickey show -username admin

Linux client

Test Connectivity from Linux to the NetApp cluster without a password

ssh admin@192.168.150.230 security login show

2.    PUBLICKEY password-less SSH (Windows PuTTy puttygen.exe/plink.exe)

  • This feature does NOT work when FIPS is enabled
  • Using “admin” for the feature
  • Windows Putty using plink.exe

Windows Client with PuTTy

Generate keys for this, use puttygen.exe

  • Open puttygen.exe in C:\Program Files\PuTTY
  • Leave the default “RSA” radio button checked (this is SSH-2RSA)
  • Use default 2048 number of bits for the key size
    • The key size on the host does not have to match that of the storage system but it does have to be larger.
  • Click Generate. You will be prompted to move the mouse in the key area.
  • DO NOT enter a passphrase when generating the keys.
  • Once the keys have been generated, save them to the C:\Program Files\PuTTY (plink.exe) directory
  • Click “Save public key”        
    • Enter rsa_pub_clientplink_key
  • Click “Save private key”       
    • Click “Yes” to save without a passphrase
    • Enter: rsa_priv_plink_key.ppk
  • Copy the “Public key for pasting into OpenSSH authorized_keys” file but delete the “rsa-key-CCYYMMDD” at the end
  • Open Wordpad and paste the key
    • DELETE THE “RSA-KEY-ccyymmdd” at the end so the key ends with no spaces
    • The authorized_keys file does not take any line breaks. Therefore, do not edit this file with notepad, use wordpad or textpad and leave NO spaces or lines at the end
  • Save as “authorized_keys” in the PuTTy directory.  Choose “Text Document”
  • Rename the file removing the “.txt” file extension

From command prompt or powershell window test connectivity to the NetApp cluster and that it asks for a password (confirm non-interactive ssh works)

plink.exe ssh admin@192.168.150.230 security login show

ONTAP

Create the public key (pasted from above – make sure PuTTY authorized keys matches the key below)

security login publickey create -username admin -publickey ” ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiG2YhcxQVTgRT/rLZZvvN+8yYXQwurAodG2Qn6+JHVGRCK1MO5VNbvl0gjZlaX8vsdN3LniH+4fd0v7Iej+e/I1TbPl+p9VLlRVYV1dex6JaDjrgdzYK3GGXQBfkpGpdqaCrKNTtNpEDgg3EJFbrDTW4dym9GuULyyHbiZS0iwtGSkU/qcaaSGHeidwq69UrLm6RH8NJNzCvMzMq2tgm6x3pnDsGd3GduRqKgOTDyScSu38A3HCLKjPSXYP6MJBXhDsczUYiRrFk1EMJFsk0j3k1PsYWPglf8HC4QOKJO5Q31STjKXDtjJfWGnSDELXnWf0XTdMNN2KChqGf0jorTQ==”

Confirm user and key (we will have 2 index entries,one for Linux, one for Windows)

security login publickey show -username admin

Windows Client

Test Connectivity from Plink to the NetApp cluster without a password (you will see “Access granted” instead of “Password:-”

plink.exe admin@192.168.150.230 security login show

You can also use PuTTY which will not require a password

3.    2-Factor SSH CLI with MFA (password AND PUBLICKEY)

ONTAP

Create a new user called “admin2” for 2-factor using “Netapp1!” password

security login create -username admin2 -application ssh -authmethod password -profile admin -second-authentication-method publickey

Enter the password twice “Netapp1!”

security login show

Create the publickey using the publickey RSA keys from the sections above

For Linux

security login publickey create -username admin2 -index 1 -publickey ” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOODKTWGiWHrx2CDfblqd4QG7PGqRlb4I9KQ3uSu+mOEuDls7+HffkdRwieiSnG1fM8g2D/HYeSE7vf7ybkCDfbKyGCJKQfot+cmr08ELFiR5f8qi6eQFYvgfQuOUj2G3UzcUby/soDVnupye4eJKKld5JbiWD6zJt8l17trq20s9I8CWX6KTXyOWTYd/TXF9Rt1pDfPWX9cUDZTM3xFPWJUPCfgw3/5IgCm2oBhcXeC6XDNbRIUcxQYT20J1HaK8ER20PU9pzAkH3LDBnLjm62Ow9g9l+2gwGoU/7XAMva3IPj415WiC95JNoel7PnnlXd1G8fxxqBTTcinZaPzTRKG//m+bHWXZcPfHwy/qF3qHO9sJY/0EZlGcJYq1EMriZxJiOpFtcaQzSkKkxcTa/z3QPVpVaw5u+w5lEXZfl0BLPXuyRmatN+BEDnIoUVGL67q/56+ll8yPhStBoxgFe6EDd+k8Eoy8tht3Qa09Y3bQ3fm9U7AN4eFA/lGkqQUM= root@linux1.lab2.local”

For Windows plink.exe

security login publickey create -username admin2 -index 2 -publickey ” ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAiG2YhcxQVTgRT/rLZZvvN+8yYXQwurAodG2Qn6+JHVGRCK1MO5VNbvl0gjZlaX8vsdN3LniH+4fd0v7Iej+e/I1TbPl+p9VLlRVYV1dex6JaDjrgdzYK3GGXQBfkpGpdqaCrKNTtNpEDgg3EJFbrDTW4dym9GuULyyHbiZS0iwtGSkU/qcaaSGHeidwq69UrLm6RH8NJNzCvMzMq2tgm6x3pnDsGd3GduRqKgOTDyScSu38A3HCLKjPSXYP6MJBXhDsczUYiRrFk1EMJFsk0j3k1PsYWPglf8HC4QOKJO5Q31STjKXDtjJfWGnSDELXnWf0XTdMNN2KChqGf0jorTQ==”

security login publickey show -username admin2

Test Logins that require both a password and the publickey

Linux

ssh admin2@192.168.150.230 security login show                 # Netapp1!

Windows plink.exe

plink.exe admin2@192.168.150.230 security login show         # Netapp1!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s