ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

unable to SSH without specifying algorithm

gadgetvirtuoso
‎2017-02-15 11:34 AM
14,045 Views

After completing the recommended changes to our filer we can't just ssh to either controller without specifiying the algorithm to use.

 

https://kb.netapp.com/support/s/article/ka31A0000000yGnQAI/how-to-disable-sslv2-and-sslv3-in-data-ontap-for-cve-2016-0800-and-cve-2014-3566?language=e...

 

FAS2220 8.1.1 7-mode

 

If you try SSH to either controller on the shelf you see the following 

Unable to negotiate with IP_ADDRESS port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

 

However using this option works 100%

> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@filer

 

We're mostly a Mac shop so I usually SSH from Mac, currently 10.12.3

 

 

 

Options ssh

 

ssh.access *
ssh.enable on
ssh.idle.timeout 600
ssh.passwd_auth.enable on
ssh.port 22
ssh.pubkey_auth.enable on
ssh1.enable off
ssh2.enable on

0 Kudos
View By:
3 REPLIES 3

NAYABSK
‎2017-02-15 09:50 PM
13,996 Views

Hi, 

 

Thank you for contacting NetApp community.

 

I see this issue is specific to MAC OS Sierra 10.12 and Open SSH. I found a useful link which may help you to fix the issue.

 

https://www.openssh.com/legacy.html

 

 

Thanks,

Nayab

0 Kudos

gadgetvirtuoso
‎2017-02-16 09:17 AM
In response to NAYABSK
13,958 Views

Yes, I've seen this page before, taht's how I found out how to still ssh into the shelf but it also says that its the legacy system (netapp in this case) that doesn't support a higher encryption level. Is there not a way to enable a higher encryption level on the shelf?

0 Kudos

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2017-02-16 03:34 PM
In response to gadgetvirtuoso
13,941 Views

This system is running ONTAP 8.1.1 in 7-Mode (released in 2012), which is no longer supported by NetApp. While support is still available for 7-Mode ONTAP (if running 8.1.4, or 8.2.4), no new feature enhancement work is being undertaken on the platform, and as such, there is no fix planned for this issue.

 

 

Our suggested fix is to add in your client's ~/.ssh/config file:

 

 

Host somehost.example.org
KexAlgorithms +diffie-hellman-group1-sha1

 

Alternatively, with a valid support contract (and, unfortunately, migrating all the data off and back on, and the addition of a 10Gb Mezzanine card if not already present..), this system can be reformatted to run ONTAP 9.1, which is a Clustered ONTAP only release, and which fixes this issue, but it is by no means the easy option.

0 Kudos
Announcements
All Community Forums
Public