security ssh modify

Modify SSH configuration options

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security ssh modify command replaces the existing configurations of the SSH key exchange algorithms or ciphers or MAC algorithms for the cluster or a Vserver with the configuration settings you specify. If you modify the cluster configuration settings, it will be used as the default for all newly created Vservers. Data ONTAP supports the diffie-hellman-group-exchange-sha256 key exchange algorithm for SHA-2. Data ONTAP also supports the diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1. The SHA-2 key exchange algorithm is more secure than the SHA-1 key exchange algorithms. Data ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, aes128-gcm, aes256-gcm, and 3des-cbc. Data ONTAP supports MAC algorithms of the following types: hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, umac-64, umac-64, umac-128, hmac-sha2-256, hmac-sha2-512, hmac-sha1-etm, hmac-sha1-96-etm, hmac-sha2-256-etm, hmac-sha2-512-etm, hmac-md5-etm, hmac-md5-96-etm, hmac-ripemd160-etm, umac-64-etm, and umac-128-etm.

Parameters

-vserver <Vserver Name> - Vserver
Identifies the Vserver for which you want to replace the existing SSH key exchange algorithm and cipher configurations.
[-key-exchange-algorithms <algorithm name>, ...] - Key Exchange Algorithms
Enables the specified SSH key exchange algorithm or algorithms for the Vserver. This parameter also replaces all existing SSH key exchange algorithms with the specified settings.
[-ciphers <cipher name>, ...] - Ciphers
Enables the specified cipher or ciphers for the Vserver. This parameter also replaces all existing ciphers with the specified settings.
[-mac-algorithms <MAC name>, ...] - MAC Algorithms
Enables the specified MAC algorithm or algorithms for the Vserver. This parameter also replaces all existing MAC algorithms with the specified settings.
[-max-authentication-retry-count <integer>] - Max Authentication Retry Count
Modifies the maximum number of authentication retry count for the Vserver.

Examples

The following command enables the diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha1 key exchange algorithms for the cluster1 Vserver. It also enables the aes256-ctr, aes192-ctr and aes128-ctr ciphers, hmac-sha1 and hmac-sha2-256 MAC algorithms for the cluster1 Vserver. It also modifies the maximum authentication retry count to 3 for the cluster1 Vserver:
cluster1::> security ssh modify -vserver cluster1 -key-exchange-algorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 -ciphers aes256-ctr,aes192-ctr,aes128-ctr -mac-algorithms hmac-sha1,hmac-sha2-256 -max-authentication-retry-count 3