ONTAP Discussions

removal of hmac-ripemd160 from OnTap 9.1p7

itopsxerox

Hi,

 

Could some one help me on this. We are planning to upgrade our OnTap 9.1 p7 to 9.3. during the image validation, I got the below warning. Could you please let me know if we remove the mentioned MAC algoritham from the existing setup, will it cause any issue, post upgrdate.

 

Openssh 7.2 upgrade   Warning    Warning: "hmac-ripemd160" and

precheck                         "hmac-ripemd160-etm" are considered weak

                                 keyed-hash message authentication code

                                 (HMAC) algorithms and support for the same

                                 will be removed after upgrading to Data

                                 ONTAP 9.3.

                                 Action: Before retrying the upgrade, remove

                                 the above weak algorithms using "security

                                 ssh remove" command. To list all Vservers

                                 configured with one or both the above HMAC

                                 algorithms, run "security ssh show

                                 -mac-algorithms hmac-ripemd160* -vserver *

                                 -fields vserver" .

 

Thanks,

Senthil

6 REPLIES 6

Re: removal of hmac-ripemd160 from OnTap 9.1p7

shuklas

It will not impact anything however if you have any client which is using "Hmac-Ripemd160" to talk to ONTAP it will be denied .

Re: removal of hmac-ripemd160 from OnTap 9.1p7

itopsxerox
how to check which client is using the given MAC algorithm

Re: removal of hmac-ripemd160 from OnTap 9.1p7

shuklas

This has to be done by the client end . You can ask your server team to validate the same .

 

Re: removal of hmac-ripemd160 from OnTap 9.1p7

itopsxerox

Hi shuklas,

 

we are using Netapp storage only for Lun which is mapped to vmware. will it impact the the vmware infra.

 

Re: removal of hmac-ripemd160 from OnTap 9.1p7

shuklas

No it will not

Re: removal of hmac-ripemd160 from OnTap 9.1p7

SVHO

Bump for this old post.  Do I have to remove this prior to the upgrade?

 

We are on 9.2p1 going to 9.3p18.  We did the validation and it said the same thing as the original poster.  We are using CIFS and NFS.

 

When running the below command, it shows below.

cmnas::*> security ssh show -mac-algorithms hmac-ripemd160* -vserver * -fields vserver
vserver
--------
cm_svm1
cmnas
js_svm1
3 entries were displayed.

 

 

TT

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public