ONTAP Discussions

"security ssh" configuration

sraudonis
6,827 Views

Hi,

 

a customer wrote to me that the NetApp supports some weak ssh MAC and Encryption algorithms or Cyphers.

 

So i tested with "security ssh remove" to remove all with CBC, SHA1 und MD5.

 

I tested the access after that commnds and got no problems.

 

But now, one week later i cant login via SSH to the NetApp, i got only "Remote side unexpectedly closed network connection".

 

So i inserted all what i remved again, but i still can't login.

 

When it takes up to a week to get active after removing, how log does it take to get active after inserting again?

 

Is here a commend to restart the SSH?

 

I'm using ONTAP 9.8P1.

 

Kind regards

Stefan

1 ACCEPTED SOLUTION

sraudonis
6,749 Views

No it isn't, you can try the following if you have access to the SP.

 

Enter the following two commands:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128
security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

and now add the "-etm" back again:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Test if you can do a SSH to the controller, you will see, you can't...

 

Remove it again:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

And add it again but before the "-etm" add the other:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128
security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Then yo can do a SSH to the ccontroller.

 

Must be a bug...

View solution in original post

6 REPLIES 6

jcolonfzenpr
6,789 Views

sraudonis
6,768 Views

Regarding the first KB, the SSH service is running, it is listed when i enter "netstat -a". And the second KB, i had removed already the problematic SHA1 Key Exchange Algorithm from my config.

 

Possible that i have a completely different problem, but i have modified the SSH security config. And now one week later i can't do a SSH to the controller.

 

When it's done after a few days automatically, so i was thinking there must be a way to restart the SSH service without rebooting the controller.

 

Is there a log where i can see problems with SSH? (systemshell or spi?)

sraudonis
6,765 Views

Ah, i found something in the messages.log:

 

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

 

This line i got when trying to login. So i will compare later with a untouched system...

sraudonis
6,764 Views

I found the problem:

 

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

 

If i remove that mac from the config i'm able to login again.

 

And i can reproduce that, so i open a case for that, this is a bug...

sraudonis
6,750 Views

No it isn't, you can try the following if you have access to the SP.

 

Enter the following two commands:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128
security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

and now add the "-etm" back again:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Test if you can do a SSH to the controller, you will see, you can't...

 

Remove it again:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

And add it again but before the "-etm" add the other:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128
security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Then yo can do a SSH to the ccontroller.

 

Must be a bug...

Public