security ssh show
Display SSH configuration options
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The ` security ssh show` command displays the configurations of the SSH key exchange algorithms, ciphers, MAC algorithms, maximum authentication retry count, host key algorithms and whether ``_ssh-rsa_`` signature scheme is enabled for RSA keys in publickey algorithms, for the cluster and Vservers. The SSH protocol uses a Diffie-Hellman based key exchange method to establish a shared secret key during the SSH negotiation phrase. The key exchange method specifies how one-time session keys are generated for encryption and authentication and how the server authentication takes place. ONTAP supports the ``_diffie-hellman-group-exchange-sha256_`` , ``_diffie-hellman-group16-sha512_`` and ``_diffie-hellman-group18-sha512_`` key exchange algorithms for SHA-2. ONTAP also supports the ``_diffie-hellman-group-exchange-sha1_`` , ``_diffie-hellman-group14-sha1_`` , and ``_diffie-hellman-group1-sha1_`` key exchange algorithms for SHA-1. ONTAP also supports ``_ecdh-sha2-nistp256_`` , ``_ecdh-sha2-nistp384_`` , ``_ecdh-sha2-nistp521_`` and ``_curve25519-sha256_`` . ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: ``_aes256-ctr_`` , ``_aes192-ctr_`` , ``_aes128-ctr_`` , ``_aes256-cbc_`` , ``_aes192-cbc_`` , ``_aes128-cbc_`` , ``_aes128-gcm_`` , ``_aes256-gcm_`` and ``_3des-cbc_`` . ONTAP supports MAC algorithms of the following types: ``_hmac-sha1_`` , ``_hmac-sha1-96_`` , ``_hmac-md5_`` , ``_hmac-md5-96_`` , ``_umac-64_`` , ``_umac-128_`` , ``_hmac-sha2-256_`` , ``_hmac-sha2-512_`` , ``_hmac-sha1-etm_`` , ``_hmac-sha1-96-etm_`` , ``_hmac-sha2-256-etm_`` , ``_hmac-sha2-512-etm_`` , ``_hmac-md5-etm_`` , ``_hmac-md5-96-etm_`` , ``_umac-64-etm_`` and ``_umac-128-etm_`` . ONTAP supports host key algorithms of the following types: ``_ecdsa-sha2-nistp256_`` , ``_ssh-rsa_`` and ``_ssh-ed25519_`` .
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>, …
parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. [-vserver <Vserver Name>]
- Vserver-
Identifies the Vserver for which you want to display the SSH key exchange algorithms, ciphers, MAC algorithms, maximum authentication retry count, host key algorithms and whether
ssh-rsa
signature scheme is enabled for RSA keys in publickey algorithms. [-key-exchange-algorithms <algorithm name>,…]
- Key Exchange Algorithms-
Displays the Vserver or Vservers that have the specified key exchange algorithms enabled.
[-ciphers <cipher name>,…]
- Ciphers-
Displays the Vserver or Vservers that have the specified ciphers enabled.
[-mac-algorithms <MAC name>,…]
- MAC Algorithms-
Displays the Vserver or Vservers that have the specified MAC algorithm or algorithms.
[-max-authentication-retry-count <integer>]
- Max Authentication Retry Count-
Displays Vservers with a matching maximum authentication retry count value. The default value of this parameter is
6
. [-host-key-algorithms <HostKey Algorithms>,…]
- Host Key Algorithms-
Displays Vservers with matching host key algorithms.
[-is-rsa-in-publickey-algorithms-enabled {true|false}]
- Is ssh-rsa in Publickey Algorithms Enabled-
Identifies whether
ssh-rsa
signature scheme, which uses the SHA-1 hash algorithm, is enabled or disabled for RSA keys in publickey algorithms. The default value of this parameter istrue
.
Examples
The following command displays the enabled SSH ciphers, key exchange algorithms, MAC algorithms, host key algorithms, whether ssh-rsa
signature scheme is enabled for RSA keys in publickey algorithms and maximum number of authentication retry count for the cluster and all Vservers. The cluster settings are used as the default for all newly created Vservers:
cluster1::> security ssh show Is ssh-rsa Max in Publickey Auth Key Exchange MAC Host Key Algorithms Retry Vserver Ciphers Algorithms Algorithms Algorithms Enabled Count -------------- ------------ -------------- -------------- -------------- ------------ ----- cluster1 aes256-ctr, curve25519- hmac-sha1-etm, ecdsa-sha2- false 4 3des-cbc sha256, hmac-sha2-256- nistp256 diffie- etm, hellman- hmac-sha2-512 group16-sha512 Is ssh-rsa Max in Publickey Auth Key Exchange MAC Host Key Algorithms Retry Vserver Ciphers Algorithms Algorithms Algorithms Enabled Count -------------- ------------ -------------- -------------- -------------- ------------ ----- vs1 aes256-ctr, diffie- hmac-sha2-256, ecdsa-sha2- true 6 aes192-ctr, hellman-group- hmac-sha2-512, nistp256, aes128-ctr, exchange- hmac-sha2-256- ssh-rsa, aes128-gcm, sha256, etm, ssh-ed25519 aes256-gcm ecdh-sha2- hmac-sha2-512- nistp256, etm, umac-64, ecdh-sha2- umac-128, nistp384, umac-64-etm, ecdh-sha2- umac-128-etm nistp521, curve25519- sha256 2 entries were displayed.