Skip to main content
NetApp Knowledgebase

Can less secure ciphers be removed?

Applies to

  • ONTAP 9
  • SSH


Yes, if ciphers are not being used by the storage controller nor the client they can be removed. 

Additional Information

Data ONTAP supports the following SSH security configurations:
  • The following SSH key exchange algorithms are supported and enabled by default:

    Data ONTAP, which serves as an SSH server, automatically selects the most secure SSH key exchange algorithm that matches the client. 

    • The diffie-hellman-group-exchange-sha256 SSH key exchange algorithm for SHA-2
    • The diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1
  • For ciphers, the following counter (CTR) mode and cipher block chaining (CBC) mode of the AES and 3DES symmetric encryptions and enabled by default:

    The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same mode, the higher the key size, the more secure the cipher. 

  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
  • aes256-cbc
  • aes192-cbc
  • aes128-cbc
  • 3des-cbc

For more information please see Managing SSH security configurations