Skip to main content
NetApp Knowledge Base

SSH configuration is not applied on a node and removed ciphers are still being used

  1. Last updated
  2. Save as PDF
Views:
53
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • SSH
  • Ciphers
  • Vulnerabilities

Issue

  • Ciphers are not being removed from a single node in an HA pair
  • security ssh show output indicates the ciphers have been removed
Cluster1::> security ssh show -vserver Cluster1 -instance
                       Vserver: Cluster1
       Key Exchange Algorithms: diffie-hellman-group-exchange-sha256,
                                ecdh-sha2-nistp256, ecdh-sha2-nistp384,
                                ecdh-sha2-nistp521
                       Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes128-gcm,    
                                aes256-gcm                                    
                MAC Algorithms: hmac-sha2-256, hmac-sha2-256-etm,
                                hmac-sha2-512, hmac-sha2-512-etm
  • However, running nmap from linux client indicates ssh is using the disallowed ciphers
user:~ $ nmap --script ssh2-enum-algos -Pn x.x.x.x                             

Starting Nmap 6.40 ( http://nmap.org ) at 2024-02-05 02:00
Nmap scan report for host.localhost.com (x.x.x.x)
Host is up (0.0070s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
| ssh2-enum-algos:
|   kex_algorithms (4)
|       diffie-hellman-group-exchange-sha256
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|   server_host_key_algorithms (1)
|       ecdsa-sha2-nistp256
|   encryption_algorithms (9)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-cbc                        <<<<< Disallowed, unsecure SSH ciphers
|       3des-cbc                        <<<<<
|       aes192-cbc                        <<<<<
|       aes256-cbc                        <<<<<
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms (4)
|       hmac-sha2-256
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512
|       hmac-sha2-512-etm@openssh.com
|   compression_algorithms (2)
|       none
|_      zlib@openssh.com
111/tcp   open  rpcbind
443/tcp   open  https
10000/tcp open  snet-sensor-mgmt
30000/tcp open  unknown
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Confidence
    Validated
    Flag
    False
    Governance
    Experience
    KCS Enabled
    Yes
    Visibility
    Public
    Product Categories
    ONTAP 9
    Specialty
    Core
  2. Tags
    1. 2009934035