ONTAP Discussions

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

"security ssh" configuration

sraudonis
‎2021-02-16 09:07 AM
7,727 Views

Hi,

 

a customer wrote to me that the NetApp supports some weak ssh MAC and Encryption algorithms or Cyphers.

 

So i tested with "security ssh remove" to remove all with CBC, SHA1 und MD5.

 

I tested the access after that commnds and got no problems.

 

But now, one week later i cant login via SSH to the NetApp, i got only "Remote side unexpectedly closed network connection".

 

So i inserted all what i remved again, but i still can't login.

 

When it takes up to a week to get active after removing, how log does it take to get active after inserting again?

 

Is here a commend to restart the SSH?

 

I'm using ONTAP 9.8P1.

 

Kind regards

Stefan

0 Kudos
1 ACCEPTED SOLUTION
tahmad has accepted the solution

sraudonis
‎2021-02-17 05:08 AM
In response to jcolonfzenpr
7,649 Views

No it isn't, you can try the following if you have access to the SP.

 

Enter the following two commands:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128
security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

and now add the "-etm" back again:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Test if you can do a SSH to the controller, you will see, you can't...

 

Remove it again:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

And add it again but before the "-etm" add the other:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128
security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Then yo can do a SSH to the ccontroller.

 

Must be a bug...

View solution in original post

0 Kudos
6 REPLIES 6

jcolonfzenpr
‎2021-02-16 03:14 PM
7,689 Views

There are 2 KB with similar issues:

 

Unable to connect via SSH to node/cluster management LIF

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Unable_to_connect_via_SSH_to_node_cluster_management_LIF

 

SSH connection fails after upgrade from ONTAP 9.7 to 9.8

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/SSH_connection_fails_after_upgrade_from_ONTAP_9.7_to_9.8

Jonathan Colón | Blog | Linkedin
0 Kudos

sraudonis
‎2021-02-16 11:45 PM
In response to jcolonfzenpr
7,668 Views

Regarding the first KB, the SSH service is running, it is listed when i enter "netstat -a". And the second KB, i had removed already the problematic SHA1 Key Exchange Algorithm from my config.

 

Possible that i have a completely different problem, but i have modified the SSH security config. And now one week later i can't do a SSH to the controller.

 

When it's done after a few days automatically, so i was thinking there must be a way to restart the SSH service without rebooting the controller.

 

Is there a log where i can see problems with SSH? (systemshell or spi?)

0 Kudos

sraudonis
‎2021-02-17 12:01 AM
In response to sraudonis
7,665 Views

Ah, i found something in the messages.log:

 

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

 

This line i got when trying to login. So i will compare later with a untouched system...

0 Kudos

sraudonis
‎2021-02-17 12:48 AM
In response to sraudonis
7,664 Views

I found the problem:

 

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

 

If i remove that mac from the config i'm able to login again.

 

And i can reproduce that, so i open a case for that, this is a bug...

0 Kudos
tahmad has accepted the solution

sraudonis
‎2021-02-17 05:08 AM
In response to jcolonfzenpr
7,650 Views

No it isn't, you can try the following if you have access to the SP.

 

Enter the following two commands:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128
security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

and now add the "-etm" back again:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Test if you can do a SSH to the controller, you will see, you can't...

 

Remove it again:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

And add it again but before the "-etm" add the other:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128
security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Then yo can do a SSH to the ccontroller.

 

Must be a bug...

0 Kudos
Announcements
All Community Forums
Public