topic Re: unable to SSH without specifying algorithm in ONTAP Discussions

unable to SSH without specifying algorithm

gadgetvirtuoso — Wed, 04 Jun 2025 15:26:50 GMT

After completing the recommended changes to our filer we can't just ssh to either controller without specifiying the algorithm to use.

https://kb.netapp.com/support/s/article/ka31A0000000yGnQAI/how-to-disable-sslv2-and-sslv3-in-data-ontap-for-cve-2016-0800-and-cve-2014-3566?language=en_US

FAS2220 8.1.1 7-mode

If you try SSH to either controller on the shelf you see the following

Unable to negotiate with IP_ADDRESS port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

However using this option works 100%

> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@filer

We're mostly a Mac shop so I usually SSH from Mac, currently 10.12.3

Options ssh

ssh.access *
ssh.enable on
ssh.idle.timeout 600
ssh.passwd_auth.enable on
ssh.port 22
ssh.pubkey_auth.enable on
ssh1.enable off
ssh2.enable on

Re: unable to SSH without specifying algorithm

NAYABSK — Thu, 16 Feb 2017 05:50:34 GMT

Hi,

Thank you for contacting NetApp community.

I see this issue is specific to MAC OS Sierra 10.12 and Open SSH. I found a useful link which may help you to fix the issue.

https://www.openssh.com/legacy.html

Thanks,

Nayab

Re: unable to SSH without specifying algorithm

gadgetvirtuoso — Thu, 16 Feb 2017 17:17:24 GMT

Yes, I've seen this page before, taht's how I found out how to still ssh into the shelf but it also says that its the legacy system (netapp in this case) that doesn't support a higher encryption level. Is there not a way to enable a higher encryption level on the shelf?

Re: unable to SSH without specifying algorithm

AlexDawson — Thu, 16 Feb 2017 23:34:11 GMT

This system is running ONTAP 8.1.1 in 7-Mode (released in 2012), which is no longer supported by NetApp. While support is still available for 7-Mode ONTAP (if running 8.1.4, or 8.2.4), no new feature enhancement work is being undertaken on the platform, and as such, there is no fix planned for this issue.

Our suggested fix is to add in your client's ~/.ssh/config file:

Host somehost.example.org
KexAlgorithms +diffie-hellman-group1-sha1

Alternatively, with a valid support contract (and, unfortunately, migrating all the data off and back on, and the addition of a 10Gb Mezzanine card if not already present..), this system can be reformatted to run ONTAP 9.1, which is a Clustered ONTAP only release, and which fixes this issue, but it is by no means the easy option.