security ssh modify
Modify SSH configuration options
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security ssh modify
command replaces the existing configurations of the SSH key exchange algorithms, ciphers, MAC algorithms, maximum authentication retry count, host key algorithms and whether ssh-rsa
signature scheme is enabled for RSA keys in publickey algorithms, for the cluster or a Vserver, with the configuration settings you specify. If you modify the cluster configuration settings, it will be used as the default for all newly created Vservers. ONTAP supports the diffie-hellman-group-exchange-sha256
, diffie-hellman-group16-sha512
and diffie-hellman-group18-sha512
key exchange algorithms for SHA-2. ONTAP also supports the diffie-hellman-group-exchange-sha1
, diffie-hellman-group14-sha1
and diffie-hellman-group1-sha1
SSH key exchange algorithms for SHA-1. The SHA-2 key exchange algorithm is more secure than the SHA-1 key exchange algorithms. ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: aes256-ctr
, aes192-ctr
, aes128-ctr
, aes256-cbc
, aes192-cbc
, aes128-cbc
, aes128-gcm
, aes256-gcm
and 3des-cbc
. ONTAP supports MAC algorithms of the following types: hmac-sha1
, hmac-sha1-96
, hmac-md5
, hmac-md5-96
, umac-64
, umac-64
, umac-128
, hmac-sha2-256
, hmac-sha2-512
, hmac-sha1-etm
, hmac-sha1-96-etm
, hmac-sha2-256-etm
, hmac-sha2-512-etm
, hmac-md5-etm
, hmac-md5-96-etm
, umac-64-etm
and umac-128-etm
. ONTAP supports host key algorithms of the following types: ecdsa-sha2-nistp256
, ssh-rsa
and ssh-ed25519
.
Parameters
-vserver <Vserver Name>
- Vserver-
Identifies the Vserver for which you want to replace the existing SSH configurations.
[-key-exchange-algorithms <algorithm name>,…]
- Key Exchange Algorithms-
Enables the specified SSH key exchange algorithm or algorithms for the Vserver. This parameter also replaces all existing SSH key exchange algorithms with the specified settings.
[-ciphers <cipher name>,…]
- Ciphers-
Enables the specified cipher or ciphers for the Vserver. This parameter also replaces all existing ciphers with the specified settings.
[-mac-algorithms <MAC name>,…]
- MAC Algorithms-
Enables the specified MAC algorithm or algorithms for the Vserver. This parameter also replaces all existing MAC algorithms with the specified settings.
[-max-authentication-retry-count <integer>]
- Max Authentication Retry Count-
Modifies the maximum number of authentication retry count for the Vserver.
[-host-key-algorithms <HostKey Algorithms>,…]
- Host Key Algorithms-
Enables the specified host key algorithm or algorithms for the Vserver. This parameter also replaces all existing host key algorithms with the specified settings.
[-is-rsa-in-publickey-algorithms-enabled {true|false}]
- Is ssh-rsa in Publickey Algorithms Enabled-
Modifies the flag to enable or disable
ssh-rsa
signature scheme, which is based on SHA-1 hash algorithm, for RSA keys in publickey algorithms.
Examples
The following command enables the diffie-hellman-group-exchange-sha256
and diffie-hellman-group14-sha1
key exchange algorithms for the "cluster1" Vserver. It also enables the aes256-ctr
, aes192-ctr
and aes128-ctr
ciphers, hmac-sha1
and hmac-sha2-256
MAC algorithms for the "cluster1" Vserver. It also disables ssh-rsa
signature scheme for RSA keys in publickey algorithms and modifies the maximum authentication retry count to 3 for the "cluster1" Vserver:
cluster1::> security ssh modify -vserver cluster1 -key-exchange-algorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 -ciphers aes256-ctr,aes192-ctr,aes128-ctr -mac-algorithms hmac-sha1,hmac-sha2-256 -is-rsa-in-publickey-algorithms-enabled false -max-authentication-retry-count 3