security ssh modify
Modify SSH configuration options
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The ` security ssh modify` command replaces the existing configurations of the SSH key exchange algorithms or ciphers or MAC algorithms for the cluster or a Vserver with the configuration settings you specify. If you modify the cluster configuration settings, it will be used as the default for all newly created Vservers. Data ONTAP supports the diffie-hellman-group-exchange-sha256
key exchange algorithm for SHA-2. Data ONTAP also supports the diffie-hellman-group-exchange-sha1
, diffie-hellman-group14-sha1
, and diffie-hellman-group1-sha1
SSH key exchange algorithms for SHA-1. The SHA-2 key exchange algorithm is more secure than the SHA-1 key exchange algorithms. Data ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: aes256-ctr
, aes192-ctr
, aes128-ctr
, aes256-cbc
, aes192-cbc
, aes128-cbc
, aes128-gcm
, aes256-gcm
, and 3des-cbc
. Data ONTAP supports MAC algorithms of the following types: hmac-sha1
, hmac-sha1-96
, hmac-md5
, hmac-md5-96
, umac-64
, umac-64
, umac-128
, hmac-sha2-256
, hmac-sha2-512
, hmac-sha1-etm
, hmac-sha1-96-etm
, hmac-sha2-256-etm
, hmac-sha2-512-etm
, hmac-md5-etm
, hmac-md5-96-etm
, umac-64-etm
, and umac-128-etm
.
Parameters
-vserver <Vserver Name>
- Vserver-
Identifies the Vserver for which you want to replace the existing SSH key exchange algorithm and cipher configurations.
[-key-exchange-algorithms <algorithm name>,…]
- Key Exchange Algorithms-
Enables the specified SSH key exchange algorithm or algorithms for the Vserver. This parameter also replaces all existing SSH key exchange algorithms with the specified settings.
[-ciphers <cipher name>,…]
- Ciphers-
Enables the specified cipher or ciphers for the Vserver. This parameter also replaces all existing ciphers with the specified settings.
[-mac-algorithms <MAC name>,…]
- MAC Algorithms-
Enables the specified MAC algorithm or algorithms for the Vserver. This parameter also replaces all existing MAC algorithms with the specified settings.
[-max-authentication-retry-count <integer>]
- Max Authentication Retry Count-
Modifies the maximum number of authentication retry count for the Vserver.
Examples
The following command enables the diffie-hellman-group-exchange-sha256
and diffie-hellman-group14-sha1
key exchange algorithms for the cluster1 Vserver. It also enables the aes256-ctr
, aes192-ctr
and aes128-ctr
ciphers, hmac-sha1
and hmac-sha2-256
MAC algorithms for the cluster1 Vserver. It also modifies the maximum authentication retry count to 3 for the cluster1 Vserver:
cluster1::> security ssh modify -vserver cluster1 -key-exchange-algorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 -ciphers aes256-ctr,aes192-ctr,aes128-ctr -mac-algorithms hmac-sha1,hmac-sha2-256 -max-authentication-retry-count 3