如何为 ONTAP 配置 SSH 公共密钥身份验证（免密登录）

适用场景

ONTAP 9

问题描述

ONTAP中启用和配置SSH公共密钥免密访问。

实现免密登录后，便于通过脚本实现批量配置Netapp的工作。

操作步骤

创建SSH公共密钥身份验证的用户ontap_admin（或启用现有用户）：

ONTAP-Select-Site-A::> security login create -user-or-group-name ontap_admin -application ssh -authentication-method  publickey -role admin -vserver ONTAP-Select-Site-A                        
Warning: Public key authentication is being setup for user "ontap_admin". This requires creating a public key for the user. After this command completes, use the "security login publickey create" command to create a public key for user "ontap_admin".

在需要连接的PC上创建公共密钥对：

$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/luyinjun/.ssh/id_ed25519):
Created directory '/Users/luyinjun/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/luyinjun/.ssh/id_ed25519.
Your public key has been saved in /Users/luyinjun/.ssh/id_ed25519.pub.
The key fingerprint is:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWnfnT0WqH83VNEID5QLZ2vKtHVevPlm11W7UCd64LV luyinjun@King-Pro.local
The key's randomart image is:
+---[RSA 4096]----+
|    o    o.+o|
|  .  * .   . o *|
|+o. X ...o   + Eo|
|+o.B +o++ . o . o|
|++=o=..oS. . . . |
|*.o=o.   . .   |
|o. ..    .    |
| .         |
|          |
+----[SHA256]-----+

$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWnfnT0WqH83VNEID5QLZ2vKtHVevPlm11W7UCd64LV luyinjun@King-Pro.local

复制创建的公共密钥并将其添加到ontao_admin用户。将复制的公共密钥文本用双引号("")括起来：

ONTAP-Select-Site-A::> security login publickey create -vserver ONTAP-Select-Site-A -username ontap_admin -publickey "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWnfnT0WqH83VNEID5QLZ2vKtHVevPlm11W7UCd64LV luyinjun@King-Pro.local"

netapp查看已添加公共密钥：

ONTAP-Select-Site-A::> security login publickey show -username ontap_admin
Vserver: ONTAP-Select-Site-A
UserName: ontap_admin     Application: ssh         Index: 0
Public Key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWnfnT0WqH83VNEID5QLZ2vKtHVevPlm11W7UCd64LV luyinjun@King-Pro.local
Fingerprint:
SHA256:RE/FuLwZfc43r7h/hyE81IISDiqLiXJUYsQiYjE84+U
Bubblebabble fingerprint:
xurac-kiryp-vesuz-sevup-vihod-nulam-faput-vegup-fozad-cahyg-kyxax
Comment:
-
Certificate:
-
Certificate Details:
-
Certificate Expiration Status: -
Certificate Revocation Status: -

测试来通过PC访问，首次连接需接受指纹，无需输入密码：

$ ssh ontap_admin@192.168.0.211
The authenticity of host '192.168.0.211 (192.168.0.211)' can't be established.
ED25519 key fingerprint is SHA256:+3+6RBiVIBIFkf+T4h8B/vnV2LVDQYiYoLldPqbV6hM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.211' (ED25519) to the list of known hosts.
 
This is your first recorded login.
ONTAP-Select-Site-A::>