Can less secure ciphers be removed?
Applies to
- ONTAP 9
- SSH
Answer
Yes, if ciphers are not being used by the storage controller nor the client they can be removed.
Additional Information
Data ONTAP supports the following SSH security configurations:
-
The following SSH key exchange algorithms are supported and enabled by default:
Data ONTAP, which serves as an SSH server, automatically selects the most secure SSH key exchange algorithm that matches the client.
- The diffie-hellman-group-exchange-sha256 SSH key exchange algorithm for SHA-2
- The diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1
- For ciphers, the following counter (CTR) mode and cipher block chaining (CBC) mode of the AES and 3DES symmetric encryptions and enabled by default:
The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same mode, the higher the key size, the more secure the cipher.
- aes256-ctr
- aes192-ctr
- aes128-ctr
- aes256-cbc
- aes192-cbc
- aes128-cbc
- 3des-cbc
For more information please see Managing SSH security configurations