Subscribe
Highlighted

unable to SSH without specifying algorithm

[ Edited ]

After completing the recommended changes to our filer we can't just ssh to either controller without specifiying the algorithm to use.

 

https://kb.netapp.com/support/s/article/ka31A0000000yGnQAI/how-to-disable-sslv2-and-sslv3-in-data-ontap-for-cve-2016-0800-and-cve-2014-3566?language=e...

 

FAS2220 8.1.1 7-mode

 

If you try SSH to either controller on the shelf you see the following 

Unable to negotiate with IP_ADDRESS port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

 

However using this option works 100%

> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@filer

 

We're mostly a Mac shop so I usually SSH from Mac, currently 10.12.3

 

 

 

Options ssh

 

ssh.access *
ssh.enable on
ssh.idle.timeout 600
ssh.passwd_auth.enable on
ssh.port 22
ssh.pubkey_auth.enable on
ssh1.enable off
ssh2.enable on

Re: unable to SSH without specifying algorithm

Hi, 

 

Thank you for contacting NetApp community.

 

I see this issue is specific to MAC OS Sierra 10.12 and Open SSH. I found a useful link which may help you to fix the issue.

 

https://www.openssh.com/legacy.html

 

 

Thanks,

Nayab

Re: unable to SSH without specifying algorithm

Yes, I've seen this page before, taht's how I found out how to still ssh into the shelf but it also says that its the legacy system (netapp in this case) that doesn't support a higher encryption level. Is there not a way to enable a higher encryption level on the shelf?

Re: unable to SSH without specifying algorithm

This system is running ONTAP 8.1.1 in 7-Mode (released in 2012), which is no longer supported by NetApp. While support is still available for 7-Mode ONTAP (if running 8.1.4, or 8.2.4), no new feature enhancement work is being undertaken on the platform, and as such, there is no fix planned for this issue.

 

 

Our suggested fix is to add in your client's ~/.ssh/config file:

 

 

Host somehost.example.org
KexAlgorithms +diffie-hellman-group1-sha1

 

Alternatively, with a valid support contract (and, unfortunately, migrating all the data off and back on, and the addition of a 10Gb Mezzanine card if not already present..), this system can be reformatted to run ONTAP 9.1, which is a Clustered ONTAP only release, and which fixes this issue, but it is by no means the easy option.