Public Key Authentication NetApp Cluster-Mode

Public key authentication in the NetApp cluster mode allows users to log in to cluster without a password. You can use this method to allow scripts to log in to the cluster without a password.

You can configure a public key authentication from any Linux server to the NetApp cluster. System admin also calls this process as passwordless authentication.

Check out steps to set up public key authentication in EMC Isilon.

In NetApp, you must be the admin user to configure public key authentication.

Steps To Configure Public Key Authentication In NetApp Cluster Mode

  1. Create a public key in a Linux server.
  2. In NetApp create a user with the auth method as the public key.
  3. Copy the public key from id_rsa.pub to NetApp Cluster.
  4. Verify from Linux if the public key is working correctly.

In the coming section we will discuss the above steps in more details. You can also watch below videos to see live demo.

Create a public key in a Linux server

The first step is to create a public key in the Linux server by using ssh-keygen command.

Please note that if an ssh key pair already exists, no need to use the ssh-keygen command. You can use the existing key pair. Hence, check the file id_rsa.pub for the existing key pair in the below path.

cat ~/.ssh/id_rsa.pub

Below commands creates a public key and stores it in id_rsa.pub file.

monitor@bjacobs-lnx:/$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
monitor@bjacobs-lnx:/$ ls -lsa ~/.ssh
total 16
4 drwx------ 2 monitor monitor 4096 2008-08-26 11:47 .
4 drwxr-xr-x 3 monitor monitor 4096 2008-08-26 11:47 ..
4 -rw------- 1 monitor monitor 1679 2008-08-26 11:47 id_rsa
4 -rw-r--r-- 1 monitor monitor 401 2008-08-26 11:47 id_rsa.pub

Create a user with the auth method as publickey in NetApp.

The second step is to create a NetApp user and assign the authentication method as a public key. Additionally, assign a proper role to the user.

The below command creates a user in NetApp with the role of admin and auth method as a public key.

netapp::> security login create -user-or-group-name monitor -application ssh -authmethod publickey -role admin

Copy the public key from id_rsa.pub map to NetApp user

Copy the public key contents of the and map it to the new user. Note that you can add multiple public keys to the same user by using index id.

You must add the public key key within quotes else command will throw errors.

netapp::> security login publickey create -username monitor -index 1 -publickey "ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA5s4vVbwEO1sOsq7r64V5KYBRXBDb2I5mtGmt0+3p1jjPJrXx4/
IPHFLalXAQkG7LhV5Dyc5jyQiGKVawBYwxxSZ3GqXJNv1aORZHJEuCd0zvSTBGGZ09vra5uCfxkpz8nwaTeiAT232LS2lZ6RJ4dsCz+
GAj2eidpPYMldi2z6RVoxpZ5Zq68MvNzz8b15BS9T7bvdHkC2OpXFXu2jndhgGxPHvfO2zGwgYv4wwv2nQw4tuqMp8e+
z0YP73Jg0T3jV8NYraXO951Rr5/9ZT8KPUqLEgPZxiSNkLnPC5dnmfTyswlofPGud+qmciYYr+cUZIvcFaYRG+Z6DM/HInX7w==  monitor@bjacobs-lnx"

As an alternative process, you can use the load-from-uri function to bring the public key from any other source.

netapp::> security login publickey load-from-uri -username monitor -uri http://bjacobs-lnx/id_rsa.pub

Verify from Linux if the public key is working correctly.

The final step is to verify if the user is able to log in to NetApp cluster from the linux server without a password.

First, you can execute the below command to check the public key of the user.

netapp::> security login publickey show -username monitor

Next, to test access from the Linux server, try to login using below command and if it does not prompt for password, then the set up is successful.

monitor@bjacobs-lnx:~$ ssh monitor@10.61.64.150
The authenticity of host '10.61.64.150 (10.61.64.150)' can't be established.
DSA key fingerprint is d9:15:cf:4b:d1:7b:a9:67:4d:b0:a9:20:e4:fa:f4:69.
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.61.64.150' (DSA) to the list of known hosts.
netapp::>

Price Based Country test mode enabled for testing India. You should do tests on private browsing mode. Browse in private with Firefox, Chrome and Safari