ONTAP Discussions
ONTAP Discussions
After completing the recommended changes to our filer we can't just ssh to either controller without specifiying the algorithm to use.
FAS2220 8.1.1 7-mode
If you try SSH to either controller on the shelf you see the following
Unable to negotiate with IP_ADDRESS port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
However using this option works 100%
> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@filer
We're mostly a Mac shop so I usually SSH from Mac, currently 10.12.3
Options ssh
ssh.access *
ssh.enable on
ssh.idle.timeout 600
ssh.passwd_auth.enable on
ssh.port 22
ssh.pubkey_auth.enable on
ssh1.enable off
ssh2.enable on
Hi,
Thank you for contacting NetApp community.
I see this issue is specific to MAC OS Sierra 10.12 and Open SSH. I found a useful link which may help you to fix the issue.
https://www.openssh.com/legacy.html
Thanks,
Nayab
Yes, I've seen this page before, taht's how I found out how to still ssh into the shelf but it also says that its the legacy system (netapp in this case) that doesn't support a higher encryption level. Is there not a way to enable a higher encryption level on the shelf?
This system is running ONTAP 8.1.1 in 7-Mode (released in 2012), which is no longer supported by NetApp. While support is still available for 7-Mode ONTAP (if running 8.1.4, or 8.2.4), no new feature enhancement work is being undertaken on the platform, and as such, there is no fix planned for this issue.
Our suggested fix is to add in your client's ~/.ssh/config file:
Host somehost.example.org KexAlgorithms +diffie-hellman-group1-sha1
Alternatively, with a valid support contract (and, unfortunately, migrating all the data off and back on, and the addition of a 10Gb Mezzanine card if not already present..), this system can be reformatted to run ONTAP 9.1, which is a Clustered ONTAP only release, and which fixes this issue, but it is by no means the easy option.