Microsoft Virtualization Discussions

Powershell Invoke-ncssh doesn't work w/o hmac-sha1

Elfeuro
4,303 Views

Hi,

I'm using PSTK 9.8.0 and have the problem, that invoke-ncssh can't connect to the cluster since I removed hmac-sha1.

The error message is:
invoke-ncssh : Server HMAC algorithm not found

 

Putty can connect without any problems.

Is there any way to use other mac-algorithms for invoke-ncssh?

 

BTW PSTK 9.10.1.2111 can neither connect even when the hmac-sha1 isn't removed.

The message here is:
invoke-ncssh : An established connection was aborted by the server

And on the cluster I found this message:
no matching host key type found. Their offer: ssh-rsa,ssh-dss

 

Any sugestions?

9 REPLIES 9

hmoubara
4,250 Views

Hello,

 

Which algorithms are you trying to use instead? what is security ssh show for that cluster shows?

The SSH protocol uses a Diffie-Hellman based key exchange method to establish a shared secret key during the SSH negotiation phrase. The key exchange method specifies how one-time session keys are generated for encryption and authentication and how the server authentication takes place. Data ONTAP supports the diffie-hellman-group-exchange-sha256 key exchange algorithm for SHA-2. Data ONTAP also supports the diffie-hellman-group-exchange-sha1diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 key exchange algorithms for SHA-1. Data ONTAP also supports ecdh-sha2-nistp256ecdh-sha2-nistp384ecdh-sha2-nistp521curve25519-sha256. Data ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: aes256-ctraes192-ctraes128-ctraes256-cbcaes192-cbcaes128-cbcaes128-gcmaes256-gcm and 3des-cbc. Data ONTAP supports MAC algorithms of the following types: hmac-sha1hmac-sha1-96hmac-md5hmac-md5-96hmac-ripemd160umac-64umac-64umac-128hmac-sha2-256hmac-sha2-512hmac-sha1-etmhmac-sha1-96-etmhmac-sha2-256-etmhmac-sha2-512-etmhmac-md5-etmhmac-md5-96-etmhmac-ripemd160-etmumac-64-etmumac-128-etm

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-980/security__ssh__show.html

Elfeuro
4,203 Views

We have following SSH settings on the cluster:
Key Exchange Algorithms:

diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
Ciphers:

aes256-ctr, aes192-ctr, aes128-ctr
MAC Algorithms:

hmac-sha2-256, hmac-sha2-512,hmac-sha2-256-etm, hmac-sha2-512-etm
Fips mode is enabled.

Drew_C
4,182 Views

@El_Feuro  I've swapped your account login back to your original one.

Community Manager \\ NetApp

Christian_Ott
3,606 Views

hi

 

i have discovered the same issue. Also using PSTK 9.8.0 and Powershell 5.1.xx Desktop Edition, on a (unsecure) system with all MAC-algorithm enabled, the "invoke-ncssh" command runs fine, on a secured system with only the four algorithms enabled like Elfeuro described, the command does not run.

 

Is there a way to tell powershell to use an alternative MAC-algorithm? For instance a global variable or a parameter for a cmdlet?

 

thanks
Christian

DL-SGTSF-TAM-OSI
2,445 Views

hello christian, 

I have the same problem, after removing the MAC algorithm hmac-sha1 .

The commandlet invoke-ncssh doesn't work.

Did you find a solution for this problem ?

best regards

Christian_Ott
2,409 Views

no, maybe this will be fixed in newer versions ... was the statment of the netapp support. I still running the same old version, so I have not updated my PSTK so far, instead I have used the good old "plink.exe" in a batch file.

sorry 😞

El_Feuro
2,334 Views

I could solve the problem.

I use during the connection via Connect-NCController the parameter -HTTPS and -ONTAPI.

Now everything works fine.

Christian_Ott
2,322 Views

okay, which version of the PSTK do you use? In my 9.8.x there is no option "-ONTAPI" in the Connect-NcController CMDlet. Are you using a higher version?

El_Feuro
2,301 Views

I'm using the PSTK 9.12.1.2302 and meanwhile I also removed the -ontapi parameter.

Public