#ssh authentication methods

I am debugging a weird problem with ssh and a perl module. It works fine for all my clusters except CVO.

After lots of debugging, I noticed the authentication methods are different between the working cluster and the non-working cluster:

Working: Authentication methods that can continue: publickey,password,keyboard-interactive.
Non-Working: Authentication methods that can continue: publickey,keyboard-interactive

The missing method is password (although I am using publickey) might be the root cause. Does anyone know what controls this? Is there an equiv of an sshd_config file for Ontap?

thats odd, but I dont know of any way to change those settings in ONTAP.
There are very few commands for SSH config actually.
One of the devs/etc might be able to give you some system shell commands to test

I have a case opened as well. This is a bizzare one.

there was a bug in the past where the sshd_config file in systemshell got corrupted and some of the settings mangled up... this might be a similar issue. It's good that you have opened a case though

Did you check the security login user* commands to make sure you have a ssh role for the admin account?

yes, note, I can ssh in just fine with public key. It's only the perl module that is failing (and only against the cvo instance).

I finally figured it out. The problem was duo. We had a disabled duo config on this node. As per the duo docs: https://docs.netapp.com/us-en/ontap/authentication/configure-cisco-duo-mfa-task.html#remove-a-duo-group

-is-enabled false

DOES NOT disable duo, it puts it in bypass mode. My scripts run in batch mode, or non-interactive SSH sessions. So with the duo config installed/configured, it forces interactive mode on all ssh sessions.

I am so glad I figured this out before we go to production with DUO. That's on hold for a host of other reasons.