Enabling SSH multifactor authentication (MFA)

You can use the security login create command to enhance security by requiring that administrators log in to an admin or data SVM with both an SSH public key and a user password.

Before you begin

You must be a cluster administrator to perform this task.

About this task

You must associate the public key with the account before the account can access the SVM .
Refer to Associating a public key with a user account .
You can perform this task before or after you enable account access.
If you are unsure of the access control role that you want to assign to the login account, you can use the security login modify command to add the role later.
Refer to Modifying the role assigned to an administrator.
The user is always authenticated with public key authentication followed by password authentication.

Require local administrator accounts to access an SVM using SSH MFA: security login create -vserver SVM -user-or-group-name user_name -application ssh -authentication-method password|publickey -role admin -second-authentication-method password|publickey

Example

The following command requires the SVM administrator account admin2 with the predefined admin role to log in to the SVM engData1 with both an SSH public key and a user password:

cluster-1::> security login create -vserver engData1 -user-or-group
-name admin2 -application ssh -authentication-method publickey -role
admin -second-authentication-method password

Please enter a password for user 'admin2':
Please enter it again:
Warning: To use public-key authentication, you must create a public 
key for user "admin2".

After you finish

If you have not associated a public key with the administrator account, you must do so before the account can access the SVM .

Refer to Associating a public key with an administrator account.

Give documentation feedback