Considerations for session-oriented protocols

Contributors netapp-forry

If SSL FIPS mode is enabled on a cluster where administrator accounts authenticate with an SSH public key, you must ensure that the host key algorithm is supported on the target release before upgrading ONTAP.

Note: Host key algorithm support has changed in ONTAP 9.11.1 and later releases.

ONTAP release

Supported key types

Unsupported key types

9.11.1 and later

ecdsa-sha2-nistp256

rsa-sha2-512
rsa-sha2-256
ssh-ed25519
ssh-dss
ssh-rsa

9.10.1 and earlier

ecdsa-sha2-nistp256
ssh-ed25519

ssh-dss
ssh-rsa

Existing SSH public key accounts without the supported key algorithms must be reconfigured with a supported key type before enabling upgrading, or administrator authentication will fail.

Learn more about enabling SSH public key accounts.