Managing SSH security configurations involves managing the SSH key exchange algorithms and data encryption algorithms (also known as ciphers). Data ONTAP enables you to enable or disable individual SSH key exchange algorithms and ciphers for the cluster or Storage Virtual Machines (SVMs) according to their SSH security requirements.
Data ONTAP supports the following SSH security configurations for the cluster and SVMs:
SHA-2 algorithms are more secure than SHA-1 algorithms. Data ONTAP, which serves as an SSH server, automatically selects the most secure SSH key exchange algorithm that matches the client. To further enhance SSH security, you can manually disable the SHA-1 algorithms and leave only the SHA-2 algorithm enabled.
The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same mode, the higher the key size, the more secure the cipher. Of the ciphers supported by Data ONTAP, aes256-ctr is the most secure, and 3des-cbc is the least secure.
You can manage the SSH key exchange algorithms and ciphers for the cluster and SVMs in the following ways:
The enabled SSH key exchange algorithms are displayed in the order of deceasing security strengths.
The enabled CTR mode ciphers (more secure) are displayed before the CBC mode ciphers (less secure). Within each mode type, the ciphers are displayed in decreasing key size.
If you modify the SSH key exchange algorithm or cipher configurations for the cluster, the changes apply also to all subsequently created SVMs.
The added SSH key exchange algorithms or ciphers are enabled.
If you add SSH key exchange algorithms or ciphers to the cluster configuration, the changes apply also to all subsequently created SVMs.
The removed SSH key exchange algorithms or ciphers are disabled.
If you remove SSH key exchange algorithms or ciphers from the cluster configuration, the changes apply also to all subsequently created SVMs.
Data ONTAP prevents you from removing all SSH key exchange algorithms or all ciphers from the cluster or an SVM.
If you downgrade or revert to a release earlier than Data ONTAP 8.2.1, Data ONTAP prompts you to run this command to reset the SSH security configurations of the cluster and all SVMs to the following default settings of the earlier release: