ONTAP Discussions

"security ssh" configuration

sraudonis

Hi,

 

a customer wrote to me that the NetApp supports some weak ssh MAC and Encryption algorithms or Cyphers.

 

So i tested with "security ssh remove" to remove all with CBC, SHA1 und MD5.

 

I tested the access after that commnds and got no problems.

 

But now, one week later i cant login via SSH to the NetApp, i got only "Remote side unexpectedly closed network connection".

 

So i inserted all what i remved again, but i still can't login.

 

When it takes up to a week to get active after removing, how log does it take to get active after inserting again?

 

Is here a commend to restart the SSH?

 

I'm using ONTAP 9.8P1.

 

Kind regards

Stefan

1 ACCEPTED SOLUTION

sraudonis

No it isn't, you can try the following if you have access to the SP.

 

Enter the following two commands:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128
security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

and now add the "-etm" back again:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Test if you can do a SSH to the controller, you will see, you can't...

 

Remove it again:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

And add it again but before the "-etm" add the other:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128
security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Then yo can do a SSH to the ccontroller.

 

Must be a bug...

View solution in original post

6 REPLIES 6

jcolonfzenpr

sraudonis

Regarding the first KB, the SSH service is running, it is listed when i enter "netstat -a". And the second KB, i had removed already the problematic SHA1 Key Exchange Algorithm from my config.

 

Possible that i have a completely different problem, but i have modified the SSH security config. And now one week later i can't do a SSH to the controller.

 

When it's done after a few days automatically, so i was thinking there must be a way to restart the SSH service without rebooting the controller.

 

Is there a log where i can see problems with SSH? (systemshell or spi?)

sraudonis

Ah, i found something in the messages.log:

 

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

 

This line i got when trying to login. So i will compare later with a untouched system...

sraudonis

I found the problem:

 

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

 

If i remove that mac from the config i'm able to login again.

 

And i can reproduce that, so i open a case for that, this is a bug...

sraudonis

No it isn't, you can try the following if you have access to the SP.

 

Enter the following two commands:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128
security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

and now add the "-etm" back again:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Test if you can do a SSH to the controller, you will see, you can't...

 

Remove it again:

 

security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

 

And add it again but before the "-etm" add the other:

 

security ssh add -vserver <cluster> -mac-algorithms umac-128
security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

 

Then yo can do a SSH to the ccontroller.

 

Must be a bug...

View solution in original post

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public