FIPSを有効にしたあとにCLIやシステムマネージャにSSHでアクセスできない
環境
- ONTAP 9
- FIPS
- System Manager
問題
- FIPSを有効にしたあとにCLIにSSH接続できない:
エラー:
Connection closed by remote host
- System Managerにアクセスできません。
エラー:
ERR_CONNECTION_REFUSED
- メッセージログ:
0000007f.0000f36f 0011291c Sat Aug 17 2024 22:19:55 +00:00 [daemon:info] 1 2024-08-17T22:19:55.832894+00:00 node-01 xinetd 8031 - - START: ssh pid=83265 from=::ffff:10.93.176.67 vsid=-1 role=0x20
0000007f.0000f370 0011291c Sat Aug 17 2024 22:19:55 +00:00 [auth:error] 1 2024-08-17T22:19:55.865010+00:00 node-01 sshd 83265 - - error: Unsupported KEX algorithm "diffie-hellman-group14-sha1"
0000007f.0000f371 0011291c Sat Aug 17 2024 22:19:55 +00:00 [auth:CRITICAL] 1 2024-08-17T22:19:55.865263+00:00 node-01 sshd 83265 - - fatal: /etc/ssh/sshd_config line 103: Bad SSH2 KexAlgorithms 'diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256@libssh.org'.
0000007f.0000f372 0011291c Sat Aug 17 2024 22:19:55 +00:00 [daemon:info] 1 2024-08-17T22:19:55.865922+00:00 node-01 xinetd 8031 - - EXIT: ssh status=255 pid=83265 duration=0(sec)
- security ssh showにadmin SVMが表示されない
Cluster::*> security ssh show
Key Exchange MAC Max Authentication
Vserver Ciphers Algorithms Algorithms Retry Count
-------------- ---------- ------------ -------------- ------------------
svm1 aes256- diffie- hmac-sha2-256, 6
ctr, hellman- hmac-sha2-256-
aes192- group- etm,
ctr, exchange- hmac-sha2-512,
aes128- sha256, hmac-sha2-512-
ctr, ecdh-sha2- etm, umac-64,
aes128- nistp256, umac-128,
gcm, ecdh-sha2- umac-64-etm,
aes256-gcm nistp384, umac-128-etm
ecdh-sha2-
nistp521,
curve25519-
sha256
svm1 aes256- diffie- hmac-sha2-256, 6
ctr, hellman- hmac-sha2-256-
aes192- group- etm,
ctr, exchange- hmac-sha2-512,
aes128- sha256, hmac-sha2-512-
ctr, ecdh-sha2- etm, umac-64,
aes128- nistp256, umac-128,
gcm, ecdh-sha2- umac-64-etm,
aes256-gcm nistp384, umac-128-etm
ecdh-sha2-
nistp521,
curve25519-
sha256
svm3 aes256- diffie- hmac-sha2-256, 6
ctr, hellman- hmac-sha2-256-
aes192- group- etm,
ctr, exchange- hmac-sha2-512,
aes128- sha256, hmac-sha2-512-
ctr, ecdh-sha2- etm, umac-64,
aes128- nistp256, umac-128,
gcm, ecdh-sha2- umac-64-etm,
aes256-gcm nistp384, umac-128-etm
ecdh-sha2-
nistp521,
curve25519-
sha256
3 entries were displayed.