Skip to main content

security ssh modify

Contributors
Suggest changes

Modify SSH configuration options

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security ssh modify command replaces the existing configurations of the SSH key exchange algorithms, ciphers, MAC algorithms, maximum authentication retry count, host key algorithms and whether ssh-rsa signature scheme is enabled for RSA keys in publickey algorithms, for the cluster or a Vserver, with the configuration settings you specify. If you modify the cluster configuration settings, it will be used as the default for all newly created Vservers. ONTAP supports the diffie-hellman-group-exchange-sha256 , diffie-hellman-group16-sha512 and diffie-hellman-group18-sha512 key exchange algorithms for SHA-2. ONTAP also supports the diffie-hellman-group-exchange-sha1 , diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1. The SHA-2 key exchange algorithm is more secure than the SHA-1 key exchange algorithms. ONTAP also supports the AES and 3DES symmetric encryptions (also known as ciphers) of the following types: aes256-ctr , aes192-ctr , aes128-ctr , aes256-cbc , aes192-cbc , aes128-cbc , aes128-gcm , aes256-gcm and 3des-cbc . ONTAP supports MAC algorithms of the following types: hmac-sha1 , hmac-sha1-96 , hmac-md5 , hmac-md5-96 , umac-64 , umac-64 , umac-128 , hmac-sha2-256 , hmac-sha2-512 , hmac-sha1-etm , hmac-sha1-96-etm , hmac-sha2-256-etm , hmac-sha2-512-etm , hmac-md5-etm , hmac-md5-96-etm , umac-64-etm and umac-128-etm . ONTAP supports host key algorithms of the following types: ecdsa-sha2-nistp256 , ssh-rsa and ssh-ed25519 .

Parameters

-vserver <Vserver Name> - Vserver

Identifies the Vserver for which you want to replace the existing SSH configurations.

[-key-exchange-algorithms <algorithm name>,…​] - Key Exchange Algorithms

Enables the specified SSH key exchange algorithm or algorithms for the Vserver. This parameter also replaces all existing SSH key exchange algorithms with the specified settings.

[-ciphers <cipher name>,…​] - Ciphers

Enables the specified cipher or ciphers for the Vserver. This parameter also replaces all existing ciphers with the specified settings.

[-mac-algorithms <MAC name>,…​] - MAC Algorithms

Enables the specified MAC algorithm or algorithms for the Vserver. This parameter also replaces all existing MAC algorithms with the specified settings.

[-max-authentication-retry-count <integer>] - Max Authentication Retry Count

Modifies the maximum number of authentication retry count for the Vserver.

[-host-key-algorithms <HostKey Algorithms>,…​] - Host Key Algorithms

Enables the specified host key algorithm or algorithms for the Vserver. This parameter also replaces all existing host key algorithms with the specified settings.

[-is-rsa-in-publickey-algorithms-enabled {true|false}] - Is ssh-rsa in Publickey Algorithms Enabled

Modifies the flag to enable or disable ssh-rsa signature scheme, which is based on SHA-1 hash algorithm, for RSA keys in publickey algorithms.

Examples

The following command enables the diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha1 key exchange algorithms for the "cluster1" Vserver. It also enables the aes256-ctr , aes192-ctr and aes128-ctr ciphers, hmac-sha1 and hmac-sha2-256 MAC algorithms for the "cluster1" Vserver. It also disables ssh-rsa signature scheme for RSA keys in publickey algorithms and modifies the maximum authentication retry count to 3 for the "cluster1" Vserver:

cluster1::> security ssh modify -vserver cluster1 -key-exchange-algorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 -ciphers aes256-ctr,aes192-ctr,aes128-ctr -mac-algorithms hmac-sha1,hmac-sha2-256 -is-rsa-in-publickey-algorithms-enabled false -max-authentication-retry-count 3