ONTAP Discussions

Highlighted

removal of hmac-ripemd160 from OnTap 9.1p7

Hi,

 

Could some one help me on this. We are planning to upgrade our OnTap 9.1 p7 to 9.3. during the image validation, I got the below warning. Could you please let me know if we remove the mentioned MAC algoritham from the existing setup, will it cause any issue, post upgrdate.

 

Openssh 7.2 upgrade   Warning    Warning: "hmac-ripemd160" and

precheck                         "hmac-ripemd160-etm" are considered weak

                                 keyed-hash message authentication code

                                 (HMAC) algorithms and support for the same

                                 will be removed after upgrading to Data

                                 ONTAP 9.3.

                                 Action: Before retrying the upgrade, remove

                                 the above weak algorithms using "security

                                 ssh remove" command. To list all Vservers

                                 configured with one or both the above HMAC

                                 algorithms, run "security ssh show

                                 -mac-algorithms hmac-ripemd160* -vserver *

                                 -fields vserver" .

 

Thanks,

Senthil

6 REPLIES 6
Highlighted

Re: removal of hmac-ripemd160 from OnTap 9.1p7

It will not impact anything however if you have any client which is using "Hmac-Ripemd160" to talk to ONTAP it will be denied .

Highlighted

Re: removal of hmac-ripemd160 from OnTap 9.1p7

how to check which client is using the given MAC algorithm
Highlighted

Re: removal of hmac-ripemd160 from OnTap 9.1p7

This has to be done by the client end . You can ask your server team to validate the same .

 

Highlighted

Re: removal of hmac-ripemd160 from OnTap 9.1p7

Hi shuklas,

 

we are using Netapp storage only for Lun which is mapped to vmware. will it impact the the vmware infra.

 

Highlighted

Re: removal of hmac-ripemd160 from OnTap 9.1p7

No it will not

Highlighted

Re: removal of hmac-ripemd160 from OnTap 9.1p7

Bump for this old post.  Do I have to remove this prior to the upgrade?

 

We are on 9.2p1 going to 9.3p18.  We did the validation and it said the same thing as the original poster.  We are using CIFS and NFS.

 

When running the below command, it shows below.

cmnas::*> security ssh show -mac-algorithms hmac-ripemd160* -vserver * -fields vserver
vserver
--------
cm_svm1
cmnas
js_svm1
3 entries were displayed.

 

 

TT

Check out the KB!
NetApp Insights To Action
All Community Forums