SSH configuration is not applied on a node and removed ciphers are still being used
Applies to
- ONTAP 9
- SSH
- Ciphers
- Vulnerabilities
Issue
- Ciphers are not being removed from a single node in an HA pair
- security ssh show output indicates the ciphers have been removed
Cluster1::> security ssh show -vserver Cluster1 -instance
Vserver: Cluster1
Key Exchange Algorithms: diffie-hellman-group-exchange-sha256,
ecdh-sha2-nistp256, ecdh-sha2-nistp384,
ecdh-sha2-nistp521
Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes128-gcm,
aes256-gcm
MAC Algorithms: hmac-sha2-256, hmac-sha2-256-etm,
hmac-sha2-512, hmac-sha2-512-etm
- However, running nmap from linux client indicates ssh is using the disallowed ciphers
user:~ $ nmap --script ssh2-enum-algos -Pn x.x.x.x
Starting Nmap 6.40 ( http://nmap.org ) at 2024-02-05 02:00
Nmap scan report for host.localhost.com (x.x.x.x)
Host is up (0.0070s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms (4)
| diffie-hellman-group-exchange-sha256
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| server_host_key_algorithms (1)
| ecdsa-sha2-nistp256
| encryption_algorithms (9)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-cbc <<<<< Disallowed, unsecure SSH ciphers
| 3des-cbc <<<<<
| aes192-cbc <<<<<
| aes256-cbc <<<<<
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms (4)
| hmac-sha2-256
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512
| hmac-sha2-512-etm@openssh.com
| compression_algorithms (2)
| none
|_ zlib@openssh.com
111/tcp open rpcbind
443/tcp open https
10000/tcp open snet-sensor-mgmt
30000/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds