2017-02-15 11:34 AM - last edited on 2017-02-22 08:00 AM by alissa
After completing the recommended changes to our filer we can't just ssh to either controller without specifiying the algorithm to use.
FAS2220 8.1.1 7-mode
If you try SSH to either controller on the shelf you see the following
Unable to negotiate with IP_ADDRESS port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
However using this option works 100%
> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@filer
We're mostly a Mac shop so I usually SSH from Mac, currently 10.12.3
2017-02-16 09:17 AM
Yes, I've seen this page before, taht's how I found out how to still ssh into the shelf but it also says that its the legacy system (netapp in this case) that doesn't support a higher encryption level. Is there not a way to enable a higher encryption level on the shelf?
2017-02-16 03:34 PM
This system is running ONTAP 8.1.1 in 7-Mode (released in 2012), which is no longer supported by NetApp. While support is still available for 7-Mode ONTAP (if running 8.1.4, or 8.2.4), no new feature enhancement work is being undertaken on the platform, and as such, there is no fix planned for this issue.
Our suggested fix is to add in your client's ~/.ssh/config file:
Host somehost.example.org KexAlgorithms +diffie-hellman-group1-sha1
Alternatively, with a valid support contract (and, unfortunately, migrating all the data off and back on, and the addition of a 10Gb Mezzanine card if not already present..), this system can be reformatted to run ONTAP 9.1, which is a Clustered ONTAP only release, and which fixes this issue, but it is by no means the easy option.