FIPS enabled Cluster reports Unsuccessful login attempts but login is successful
Applies to
- ONTAP 9
- Federal Information Processing Standards (FIPS)
- SSH
Issue
- SSH to a FIPS enabled cluster shows invalid login attempt but you can successfully ssh to the cluster.
- Monitoring scripts might fail.
- Verbose ssh logging shows a failure with the RSA key and then success with ECDSA:
$ ssh -vvv user@cluster1 "aggr show -aggregate * -percent-used >10% -fields percent-used" ... debug1: Next authentication method: publickey debug1: Offering public key: /home/username/.ssh/id_rsa RSA SHA256:WW95esAzgWUHgvNCR/BcafCmQg+cC71smhZ8ywuPuo8 debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 >>> Type 51 is an authentication failure.... ... debug1: Offering public key: /home/username/.ssh/id_ecdsa ECDSA SHA256:8rmq+JnDDiPerIJVRM+ryo1iH0OGVv9Di0BiHPymO+g debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /home/username/.ssh/id_ecdsa ECDSA SHA256:8rmq+JnDDiPerIJVRM+ryo1iH0OGVv9Di0BiHPymO+g debug3: sign_and_send_pubkey: ECDSA SHA256:8rmq+JnDDiPerIJVRM+ryo1iH0OGVv9Di0BiHPymO+g debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp256 SHA256:8rmq+JnDDiPerIJVRM+ryo1iH0OGVv9Di0BiHPymO+g debug3: send packet: type 50 debug3: receive packet: type 52 >>> Success Authenticated to cluster1 ([10.154.34.125]:22) using "publickey".... Last login time: 4/22/2025 12:40:56Unsuccessful login attempts since last login: 1
- Audit logs show unsuccessful login attempts
0000001e.00003de8 00009292 Tue Mar 18 2025 15:01:06 -07:00 [kern_audit:info:3517] 0000000000000000 :: cluster1:ssh :: internal:audit :: cluster1:user :: Login Attempt :: Error: Unsuccessful attempts since last login :1.