SSH Key Exchange for Clustered ONTAP

Key based SSH authentication in C-DOT is much easier than in 7-mode, although there are a few caveats.

First things first, a new cluster admin user must be created, the default admin account cannot be configured for publickey login. For some reason this isn’t mentioned anywhere in the docs and cost me many hours trying to troubleshoot.

CLUSTER1::> security login create -username robbiessh -application ssh -authmethod publickey -role admin -vserver cluster01-comment "Public Key authenticated remote user"

In this example, I’m keeping things simple. You may wish to consider RBAC depending on your use for key based access.
Secondly, we upload the publickey

CLUSTER1::> security login publickey create -vserver cluster1 -username robbiessh -index 0 -publickey "ssh-rsa AAAAB2NyyD1ec3EBBBBBCwAAAwkduUUUUUUj+/bNt65NNNkfmmhUi8j7/d/NMdjmmuhdnnfylarnndnfyyeDjsRI3vgyy6fZI/tMx1aKtdm78V0SDTV4Gi6nNTfNNlZB6Dx5hpUBndkfDiut4F93jfFisjf883kfd9fdkmgFKdu4w44EW3mfmfidfNjBXZt0NsJWOmPPhPcrRTfTAt4dF6QH7Brfg8LDZDhqB0iUh40L/xY+bauflf83fnfDitnr/+fngGdjfmsFjfngfmfnnnfmmp81tcdsjnrjegbdfkkmmjjfmmfllOLXjlDGgvuRB/vB6Wy8g3gyuTWDvjDMpzAKzll6tcmgcZhdpzbN553RV+nIb2hfmNut0T4sTfn== remoteadmin@linuxmgthost.company.local"

That’s it. No need to break into a BSD shell to manually create the .ssh tree, the security login utility covers everything.