ONTAP Discussions

removal of hmac-ripemd160 from OnTap 9.1p7

itopsxerox
4,949 Views

Hi,

 

Could some one help me on this. We are planning to upgrade our OnTap 9.1 p7 to 9.3. during the image validation, I got the below warning. Could you please let me know if we remove the mentioned MAC algoritham from the existing setup, will it cause any issue, post upgrdate.

 

Openssh 7.2 upgrade   Warning    Warning: "hmac-ripemd160" and

precheck                         "hmac-ripemd160-etm" are considered weak

                                 keyed-hash message authentication code

                                 (HMAC) algorithms and support for the same

                                 will be removed after upgrading to Data

                                 ONTAP 9.3.

                                 Action: Before retrying the upgrade, remove

                                 the above weak algorithms using "security

                                 ssh remove" command. To list all Vservers

                                 configured with one or both the above HMAC

                                 algorithms, run "security ssh show

                                 -mac-algorithms hmac-ripemd160* -vserver *

                                 -fields vserver" .

 

Thanks,

Senthil

6 REPLIES 6

shuklas
4,896 Views

It will not impact anything however if you have any client which is using "Hmac-Ripemd160" to talk to ONTAP it will be denied .

itopsxerox
4,886 Views
how to check which client is using the given MAC algorithm

shuklas
4,881 Views

This has to be done by the client end . You can ask your server team to validate the same .

 

itopsxerox
4,876 Views

Hi shuklas,

 

we are using Netapp storage only for Lun which is mapped to vmware. will it impact the the vmware infra.

 

shuklas
4,867 Views

No it will not

SVHO
3,693 Views

Bump for this old post.  Do I have to remove this prior to the upgrade?

 

We are on 9.2p1 going to 9.3p18.  We did the validation and it said the same thing as the original poster.  We are using CIFS and NFS.

 

When running the below command, it shows below.

cmnas::*> security ssh show -mac-algorithms hmac-ripemd160* -vserver * -fields vserver
vserver
--------
cm_svm1
cmnas
js_svm1
3 entries were displayed.

 

 

TT

Public