Skip to main content
NetApp Knowledge Base

Can less secure ciphers be removed?

  1. Last updated
  2. Save as PDF
Views:
1,167
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • SSH

Answer

Yes, if ciphers are not being used by the storage controller nor the client they can be removed. 

Additional Information

Data ONTAP supports the following SSH security configurations:

  • The following SSH key exchange algorithms are supported and enabled by default:

    Data ONTAP, which serves as an SSH server, automatically selects the most secure SSH key exchange algorithm that matches the client. 

    • The diffie-hellman-group-exchange-sha256 SSH key exchange algorithm for SHA-2
    • The diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1
  • For ciphers, the following counter (CTR) mode and cipher block chaining (CBC) mode of the AES and 3DES symmetric encryptions and enabled by default:

    The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same mode, the higher the key size, the more secure the cipher. 

  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
  • aes256-cbc
  • aes192-cbc
  • aes128-cbc
  • 3des-cbc

For more information please see Managing SSH security configurations

 

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Confidence
    Validated
    Flag
    False
    Governance
    Experience
    KCS Enabled
    Yes
    Visibility
    Public
    Product Categories
    ONTAP 9
    Specialty
    NAS
  2. Tags
    1. ciphers
    2. SSH