Skip to main content
ONTAP 9.16.1 commands

security ssh show

Contributors
Suggest changes
PDFs

Display SSH configuration options

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The ` security ssh show` command displays the configurations of the SSH key exchange algorithms, ciphers, MAC algorithms, maximum authentication retry count, host key algorithms and whether ``_ssh-rsa_`` signature scheme is enabled for RSA keys in publickey algorithms, for the cluster and Vservers. The SSH protocol uses a Diffie-Hellman based key exchange method to establish a shared secret key during the SSH negotiation phrase. The key exchange method specifies how one-time session keys are generated for encryption and authentication and how the server authentication takes place. ONTAP supports the ``_diffie-hellman-group-exchange-sha256_`` , ``_diffie-hellman-group16-sha512_`` and ``_diffie-hellman-group18-sha512_`` key exchange algorithms for SHA-2. ONTAP also supports the ``_diffie-hellman-group-exchange-sha1_`` , ``_diffie-hellman-group14-sha1_`` , and ``_diffie-hellman-group1-sha1_`` key exchange algorithms for SHA-1. ONTAP also supports ``_ecdh-sha2-nistp256_`` , ``_ecdh-sha2-nistp384_`` , ``_ecdh-sha2-nistp521_`` and ``_curve25519-sha256_`` . ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: ``_aes256-ctr_`` , ``_aes192-ctr_`` , ``_aes128-ctr_`` , ``_aes256-cbc_`` , ``_aes192-cbc_`` , ``_aes128-cbc_`` , ``_aes128-gcm_`` , ``_aes256-gcm_`` and ``_3des-cbc_`` . ONTAP supports MAC algorithms of the following types: ``_hmac-sha1_`` , ``_hmac-sha1-96_`` , ``_hmac-md5_`` , ``_hmac-md5-96_`` , ``_umac-64_`` , ``_umac-128_`` , ``_hmac-sha2-256_`` , ``_hmac-sha2-512_`` , ``_hmac-sha1-etm_`` , ``_hmac-sha1-96-etm_`` , ``_hmac-sha2-256-etm_`` , ``_hmac-sha2-512-etm_`` , ``_hmac-md5-etm_`` , ``_hmac-md5-96-etm_`` , ``_umac-64-etm_`` and ``_umac-128-etm_`` . ONTAP supports host key algorithms of the following types: ``_ecdsa-sha2-nistp256_`` , ``_ssh-rsa_`` and ``_ssh-ed25519_`` .

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-instance ] }

If you specify the -instance parameter, the command displays detailed information about all fields.

[-vserver <Vserver Name>] - Vserver

Identifies the Vserver for which you want to display the SSH key exchange algorithms, ciphers, MAC algorithms, maximum authentication retry count, host key algorithms and whether ssh-rsa signature scheme is enabled for RSA keys in publickey algorithms.

[-key-exchange-algorithms <algorithm name>,…​] - Key Exchange Algorithms

Displays the Vserver or Vservers that have the specified key exchange algorithms enabled.

[-ciphers <cipher name>,…​] - Ciphers

Displays the Vserver or Vservers that have the specified ciphers enabled.

[-mac-algorithms <MAC name>,…​] - MAC Algorithms

Displays the Vserver or Vservers that have the specified MAC algorithm or algorithms.

[-max-authentication-retry-count <integer>] - Max Authentication Retry Count

Displays Vservers with a matching maximum authentication retry count value. The default value of this parameter is 6 .

[-host-key-algorithms <HostKey Algorithms>,…​] - Host Key Algorithms

Displays Vservers with matching host key algorithms.

[-is-rsa-in-publickey-algorithms-enabled {true|false}] - Is ssh-rsa in Publickey Algorithms Enabled

Identifies whether ssh-rsa signature scheme, which uses the SHA-1 hash algorithm, is enabled or disabled for RSA keys in publickey algorithms. The default value of this parameter is true .

Examples

The following command displays the enabled SSH ciphers, key exchange algorithms, MAC algorithms, host key algorithms, whether ssh-rsa signature scheme is enabled for RSA keys in publickey algorithms and maximum number of authentication retry count for the cluster and all Vservers. The cluster settings are used as the default for all newly created Vservers:

cluster1::> security ssh show
                                                                         Is ssh-rsa   Max
                                                                         in Publickey Auth
                            Key Exchange   MAC            Host Key       Algorithms   Retry
Vserver        Ciphers      Algorithms     Algorithms     Algorithms     Enabled      Count
-------------- ------------ -------------- -------------- -------------- ------------ -----
cluster1       aes256-ctr,  curve25519-    hmac-sha1-etm, ecdsa-sha2-    false            4
               3des-cbc     sha256,        hmac-sha2-256- nistp256
                            diffie-        etm,
                            hellman-       hmac-sha2-512
                            group16-sha512
Is ssh-rsa   Max
                                                                         in Publickey Auth
                            Key Exchange   MAC            Host Key       Algorithms   Retry
Vserver        Ciphers      Algorithms     Algorithms     Algorithms     Enabled      Count
-------------- ------------ -------------- -------------- -------------- ------------ -----
vs1            aes256-ctr,  diffie-        hmac-sha2-256, ecdsa-sha2-    true             6
               aes192-ctr,  hellman-group- hmac-sha2-512, nistp256,
               aes128-ctr,  exchange-      hmac-sha2-256- ssh-rsa,
               aes128-gcm,  sha256,        etm,           ssh-ed25519
               aes256-gcm   ecdh-sha2-     hmac-sha2-512-
                            nistp256,      etm, umac-64,
                            ecdh-sha2-     umac-128,
                            nistp384,      umac-64-etm,
                            ecdh-sha2-     umac-128-etm
                            nistp521,
                            curve25519-
                            sha256
2 entries were displayed.