Solved: "security ssh" configuration

sraudonis · ‎2021-02-16

Hi,

a customer wrote to me that the NetApp supports some weak ssh MAC and Encryption algorithms or Cyphers.

So i tested with "security ssh remove" to remove all with CBC, SHA1 und MD5.

I tested the access after that commnds and got no problems.

But now, one week later i cant login via SSH to the NetApp, i got only "Remote side unexpectedly closed network connection".

So i inserted all what i remved again, but i still can't login.

When it takes up to a week to get active after removing, how log does it take to get active after inserting again?

Is here a commend to restart the SSH?

I'm using ONTAP 9.8P1.

Kind regards

Stefan

sraudonis · ‎2021-02-17

No it isn't, you can try the following if you have access to the SP.

Enter the following two commands:

security ssh remove -vserver <cluster> -mac-algorithms umac-128
security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

and now add the "-etm" back again:

security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

Test if you can do a SSH to the controller, you will see, you can't...

Remove it again:

security ssh remove -vserver <cluster> -mac-algorithms umac-128-etm

And add it again but before the "-etm" add the other:

security ssh add -vserver <cluster> -mac-algorithms umac-128
security ssh add -vserver <cluster> -mac-algorithms umac-128-etm

Then yo can do a SSH to the ccontroller.

Must be a bug...

View solution in original post

jcolonfzenpr · ‎2021-02-16

There are 2 KB with similar issues:

Unable to connect via SSH to node/cluster management LIF

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Unable_to_connect_via_SSH_to_node_cluster_management_LIF

SSH connection fails after upgrade from ONTAP 9.7 to 9.8

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/SSH_connection_fails_after_upgrade_from_ONTAP_9.7_to_9.8

Jonathan Colón | Blog | Linkedin

sraudonis · ‎2021-02-16

Regarding the first KB, the SSH service is running, it is listed when i enter "netstat -a". And the second KB, i had removed already the problematic SHA1 Key Exchange Algorithm from my config.

Possible that i have a completely different problem, but i have modified the SSH security config. And now one week later i can't do a SSH to the controller.

When it's done after a few days automatically, so i was thinking there must be a way to restart the SSH service without rebooting the controller.

Is there a log where i can see problems with SSH? (systemshell or spi?)

sraudonis · ‎2021-02-17

Ah, i found something in the messages.log:

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

This line i got when trying to login. So i will compare later with a untouched system...

sraudonis · ‎2021-02-17

I found the problem:

sshd 65444 - - fatal: /etc/ssh/sshd_config line 102: Bad SSH2 mac spec 'hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com-etm,umac-128,hmac-sha1,hmac-sha1-96,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5,hmac-md5-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com'.

If i remove that mac from the config i'm able to login again.

And i can reproduce that, so i open a case for that, this is a bug...

jcolonfzenpr · ‎2021-02-17

Similar KB:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/SSH_fails_to_connect_to_node_due_to_presence_of_%22hmac-ripemd160%22_a...