Powershell Invoke-ncssh doesn't work w/o hmac-sha1

Elfeuro · ‎2022-02-01

Hi,

I'm using PSTK 9.8.0 and have the problem, that invoke-ncssh can't connect to the cluster since I removed hmac-sha1.

The error message is:
invoke-ncssh : Server HMAC algorithm not found

Putty can connect without any problems.

Is there any way to use other mac-algorithms for invoke-ncssh?

BTW PSTK 9.10.1.2111 can neither connect even when the hmac-sha1 isn't removed.

The message here is:
invoke-ncssh : An established connection was aborted by the server

And on the cluster I found this message:
no matching host key type found. Their offer: ssh-rsa,ssh-dss

Any sugestions?

hmoubara · ‎2022-02-01

Hello,

Which algorithms are you trying to use instead? what is security ssh show for that cluster shows?

The SSH protocol uses a Diffie-Hellman based key exchange method to establish a shared secret key during the SSH negotiation phrase. The key exchange method specifies how one-time session keys are generated for encryption and authentication and how the server authentication takes place. Data ONTAP supports the diffie-hellman-group-exchange-sha256 key exchange algorithm for SHA-2. Data ONTAP also supports the diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 key exchange algorithms for SHA-1. Data ONTAP also supports ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256. Data ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, aes128-gcm, aes256-gcm and 3des-cbc. Data ONTAP supports MAC algorithms of the following types: hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, umac-64, umac-64, umac-128, hmac-sha2-256, hmac-sha2-512, hmac-sha1-etm, hmac-sha1-96-etm, hmac-sha2-256-etm, hmac-sha2-512-etm, hmac-md5-etm, hmac-md5-96-etm, hmac-ripemd160-etm, umac-64-etm, umac-128-etm

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-980/security__ssh__show.html

Elfeuro · ‎2022-02-03

We have following SSH settings on the cluster:
Key Exchange Algorithms:

diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
Ciphers:

aes256-ctr, aes192-ctr, aes128-ctr
MAC Algorithms:

hmac-sha2-256, hmac-sha2-512,hmac-sha2-256-etm, hmac-sha2-512-etm
Fips mode is enabled.

Drew_C · ‎2022-02-04

@El_Feuro I've swapped your account login back to your original one.

Community Manager \\ NetApp

Christian_Ott · ‎2022-04-11

hi

i have discovered the same issue. Also using PSTK 9.8.0 and Powershell 5.1.xx Desktop Edition, on a (unsecure) system with all MAC-algorithm enabled, the "invoke-ncssh" command runs fine, on a secured system with only the four algorithms enabled like Elfeuro described, the command does not run.

Is there a way to tell powershell to use an alternative MAC-algorithm? For instance a global variable or a parameter for a cmdlet?

thanks
Christian

DL-SGTSF-TAM-OSI · ‎2023-04-13

hello christian,

I have the same problem, after removing the MAC algorithm hmac-sha1 .

The commandlet invoke-ncssh doesn't work.

Did you find a solution for this problem ?

best regards

Christian_Ott · ‎2023-04-13

no, maybe this will be fixed in newer versions ... was the statment of the netapp support. I still running the same old version, so I have not updated my PSTK so far, instead I have used the good old "plink.exe" in a batch file.

sorry 😞

El_Feuro · ‎2023-04-16

I could solve the problem.

I use during the connection via Connect-NCController the parameter -HTTPS and -ONTAPI.

Now everything works fine.

Christian_Ott · ‎2023-04-17

okay, which version of the PSTK do you use? In my 9.8.x there is no option "-ONTAPI" in the Connect-NcController CMDlet. Are you using a higher version?

El_Feuro · ‎2023-04-18

I'm using the PSTK 9.12.1.2302 and meanwhile I also removed the -ontapi parameter.