ONTAP Discussions

OnTAP Upgrade Alert: OpenSSH 7.2 Upgrade Violation

I upgraded OnTAP from 8.2P4 to 8.3P7 on our DR cluster yesterday, via the System Manager Cluster Upgrade GUI. When performing validation, I received the following alert:

 

--------------------------------------------------------------------------------------------------------------------

"hmac-ripemd160" and "hmac-rivemd160-etm" are considered weak keyed-hash message authentication code (HMAC) algorithms and support for the same will be removed after upgrading to Data OnTAP 9.3.

 

Advice:

Ensure the Vservers do not have these HMAC algorithms configured before attempting to upgrade.

Action:
Before retrying the upgrade, remove the above weak algorithms using "security ssh remove" command. To list all Vservers configured with one or both the above HMAC algorithms, run "security ssh show -mac-algorithms hmac-ripemd160* -vserver * -fields vserver" .

--------------------------------------------------------------------------------------------------------------------

 

I tried the "security ssh remove" command, however when I chose "hmac-ripemd160" for an SVM it removed ALL algorithms for that SVM. I used "security ssh add" to add it back, and all algorithms came back.

 

I wasn't too concerned about this for our DR cluster, so I went ahead with the upgrade and everything was fine. Sure enough, the offending algorithms were removed automatically without any effort on my part.

 

Next week I plan to upgrade our production cluster and want to ensure this will not be an issue. I always do prod at the command line so I likely wouldn't have even seen this message had I not done DR from the GUI (this message doesn't appear in Config Advisor or the Upgrade Guide). Is there any way to determine if a particular alorithm is actually in use? I would suspect not but know of no way to verify. Would love to hear any thoughts or recommendations!

Cloud Volumes ONTAP
Review Banner
All Community Forums
Public