Microsoft Virtualization Discussions

Powershell Invoke-ncssh doesn't work w/o hmac-sha1

Elfeuro

Hi,

I'm using PSTK 9.8.0 and have the problem, that invoke-ncssh can't connect to the cluster since I removed hmac-sha1.

The error message is:
invoke-ncssh : Server HMAC algorithm not found

 

Putty can connect without any problems.

Is there any way to use other mac-algorithms for invoke-ncssh?

 

BTW PSTK 9.10.1.2111 can neither connect even when the hmac-sha1 isn't removed.

The message here is:
invoke-ncssh : An established connection was aborted by the server

And on the cluster I found this message:
no matching host key type found. Their offer: ssh-rsa,ssh-dss

 

Any sugestions?

4 REPLIES 4

hmoubara

Hello,

 

Which algorithms are you trying to use instead? what is security ssh show for that cluster shows?

The SSH protocol uses a Diffie-Hellman based key exchange method to establish a shared secret key during the SSH negotiation phrase. The key exchange method specifies how one-time session keys are generated for encryption and authentication and how the server authentication takes place. Data ONTAP supports the diffie-hellman-group-exchange-sha256 key exchange algorithm for SHA-2. Data ONTAP also supports the diffie-hellman-group-exchange-sha1diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 key exchange algorithms for SHA-1. Data ONTAP also supports ecdh-sha2-nistp256ecdh-sha2-nistp384ecdh-sha2-nistp521curve25519-sha256. Data ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: aes256-ctraes192-ctraes128-ctraes256-cbcaes192-cbcaes128-cbcaes128-gcmaes256-gcm and 3des-cbc. Data ONTAP supports MAC algorithms of the following types: hmac-sha1hmac-sha1-96hmac-md5hmac-md5-96hmac-ripemd160umac-64umac-64umac-128hmac-sha2-256hmac-sha2-512hmac-sha1-etmhmac-sha1-96-etmhmac-sha2-256-etmhmac-sha2-512-etmhmac-md5-etmhmac-md5-96-etmhmac-ripemd160-etmumac-64-etmumac-128-etm

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-980/security__ssh__show.html

Elfeuro

We have following SSH settings on the cluster:
Key Exchange Algorithms:

diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
Ciphers:

aes256-ctr, aes192-ctr, aes128-ctr
MAC Algorithms:

hmac-sha2-256, hmac-sha2-512,hmac-sha2-256-etm, hmac-sha2-512-etm
Fips mode is enabled.

Drew_C

@El_Feuro  I've swapped your account login back to your original one.

Community Manager \\ NetApp

Christian_Ott

hi

 

i have discovered the same issue. Also using PSTK 9.8.0 and Powershell 5.1.xx Desktop Edition, on a (unsecure) system with all MAC-algorithm enabled, the "invoke-ncssh" command runs fine, on a secured system with only the four algorithms enabled like Elfeuro described, the command does not run.

 

Is there a way to tell powershell to use an alternative MAC-algorithm? For instance a global variable or a parameter for a cmdlet?

 

thanks
Christian

Public