Managing SSH security configurations

Managing SSH security configurations involves managing the SSH key exchange algorithms and data encryption algorithms (also known as ciphers). Data ONTAP enables you to enable or disable individual SSH key exchange algorithms and ciphers for the cluster or Storage Virtual Machines (SVMs) according to their SSH security requirements.

Data ONTAP supports the following SSH security configurations for the cluster and SVMs:

• The following SSH key exchange algorithms are supported and enabled by default:
  • The diffie-hellman-group-exchange-sha256 SSH key exchange algorithm for SHA-2
  • The diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1

  SHA-2 algorithms are more secure than SHA-1 algorithms. Data ONTAP, which serves as an SSH server, automatically selects the most secure SSH key exchange algorithm that matches the client. To further enhance SSH security, you can manually disable the SHA-1 algorithms and leave only the SHA-2 algorithm enabled.

• For ciphers, the following counter (CTR) mode and cipher block chaining (CBC) mode of the AES and 3DES symmetric encryptions are supported and enabled by default:
  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
  • aes256-cbc
  • aes192-cbc
  • aes128-cbc
  • 3des-cbc

  The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same mode, the higher the key size, the more secure the cipher. Of the ciphers supported by Data ONTAP, aes256-ctr is the most secure, and 3des-cbc is the least secure.

You can manage the SSH key exchange algorithms and ciphers for the cluster and SVMs in the following ways:

• Display the current configurations of SSH key exchange algorithms and ciphers (security ssh show)

  The enabled SSH key exchange algorithms are displayed in the order of deceasing security strengths.

  The enabled CTR mode ciphers (more secure) are displayed before the CBC mode ciphers (less secure). Within each mode type, the ciphers are displayed in decreasing key size.

• Replace the current configurations of the SSH key exchange algorithms or ciphers with the configuration settings you specify (security ssh modify)

  If you modify the SSH key exchange algorithm or cipher configurations for the cluster, the changes apply also to all subsequently created SVMs.

• Add SSH key exchange algorithms or ciphers to the current configurations (security ssh add)

  The added SSH key exchange algorithms or ciphers are enabled.

  If you add SSH key exchange algorithms or ciphers to the cluster configuration, the changes apply also to all subsequently created SVMs.

• Remove the specified SSH key exchange algorithms or ciphers from the current configurations (security ssh remove)

  The removed SSH key exchange algorithms or ciphers are disabled.

  If you remove SSH key exchange algorithms or ciphers from the cluster configuration, the changes apply also to all subsequently created SVMs.

  Data ONTAP prevents you from removing all SSH key exchange algorithms or all ciphers from the cluster or an SVM.

• Restore the configurations of SSH key exchange algorithms and ciphers of the cluster and all SVMs to the settings that were used prior to Data ONTAP 8.2.1 (security ssh prepare-to-downgrade, available at the advanced privilege level)

  If you downgrade or revert to a release earlier than Data ONTAP 8.2.1, Data ONTAP prompts you to run this command to reset the SSH security configurations of the cluster and all SVMs to the following default settings of the earlier release:

  • All supported SHA-1 and SHA-2 SSH key exchange algorithms are reset to the enabled state.
  • All CTR and CBC modes of data encryption algorithms are reset to the enabled state.
  Attention: Do not execute the security ssh prepare-to-downgrade command except for the downgrade or revert to a release earlier than Data ONTAP 8.2.1. Otherwise, the SSH configuration functionality is permanently disabled and Data ONTAP does not be enable you to manage the SSH configuration settings.