Dell Unity: How to Disable MAC Algorithms and Ciphers for SFTP-enabled NAS servers

Summary: How to disable less secure MAC algorithms and ciphers for SFTP-enabled NAS servers. (User Correctable)

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Unity provides parameters to customize the MAC algorithms and ciphers provided by the SSHD instance running on SFTP-enabled NAS servers. It may be preferable to disable less-secure ciphers identified by security scanning software.

Since there is no sshd_config file that can be edited for the SFTP-enabled NAS server, Unity provides two parameters as a replacement for the standard functionality. To see information about these parameters and their current settings, run these commands:

svc_nas ALL -param -f sshd -i cipher
svc_nas ALL -param -f sshd -i mac

These parameters provide the same functionality as editing the cipher and macs values in sshd_config on a standard Linux or UNIX host running a standard OpenSSH server implementation. The comma-delimited formatting used for those values in that configuration file can also be used in the values provided to the commands used to set these parameters.

To see a list of the MAC algorithms that can be used with the parameter, run the following command from a host:
 

NOTE:
  • "ivan2" is a default user but any preferred user can be used.
  • "5.6.7.14" is an example IP address of the SFTP enabled NAS server. 
  • This command initiates an SSH connection. Use a ctrl+c key sequence to disconnect when prompted for a password, or respond with "no" if a prompt saying "Are you sure you want to continue connecting?" is received.
# ssh -vvv ivan2@5.6.7.14 2>&1 | grep -E "MAC|cipher"
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
Any of the ciphers listed on the second line should be valid inputs for the cipher parameter change. Any of the algorithms listed on the fourth line should be valid inputs for the MAC parameter change.

In this example, the parameter is set to only allow the hmac-sha2-512-etm@openssh.com MAC algorithm: 
svc_nas ALL -param -f sshd -m mac -v hmac-sha2-512-etm@openssh.com

NOTE: To allow multiple MAC algorithms, use a comma-separated list.
  
svc_nas ALL -param -f sshd -m mac -v hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 
CAUTION: The system may allow you to specify invalid MAC algorithms, locking all users out of the SFTP server. Take care to specify a correct algorithm.

The parameters must be set globally and may require an SP or NAS server reboot to fully take effect. In order to validate that this is working, run an SFTP command specifying a MAC algorithm which was disabled, along with a non-AEAD cipher such as seen below: 
# sftp -oMACs=hmac-sha1 -oCiphers=aes256-ctr ivan2@5.6.7.14
Unable to negotiate with 5.6.7.14 port 22: no matching MAC found. Their offer: hmac-sha2-512-etm@openssh.com
Connection closed.
Connection closed
In the above output, the SFTP server refuses the connection since the HMAC algorithm hmac-sha1 is disabled, and the client is not using AEAD in place of a MAC to provide integrity. Without forcing the non-AEAD MAC, this may still succeed even when forcing a disabled MAC, since the client might ignore the MAC setting anyways when AEAD is in use.

Affected Products

Dell EMC Unity Family
Article Properties
Article Number: 000220538
Article Type: How To
Last Modified: 28 May 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.