Dell Unity: How to Disable MAC Algorithms and Ciphers for SFTP-enabled NAS servers

摘要: How to disable less secure MAC algorithms and ciphers for SFTP-enabled NAS servers. (User Correctable)

本文适用于 本文不适用于 本文并非针对某种特定的产品。 本文并非包含所有产品版本。
查看其他资源

说明

Unity provides parameters to customize the MAC algorithms and ciphers provided by the SSHD instance running on SFTP-enabled NAS servers. It may be preferable to disable less-secure ciphers identified by security scanning software.

Since there is no sshd_config file that can be edited for the SFTP-enabled NAS server, Unity provides two parameters as a replacement for the standard functionality. To see information about these parameters and their current settings, run these commands:

svc_nas ALL -param -f sshd -i cipher
svc_nas ALL -param -f sshd -i mac

These parameters provide the same functionality as editing the cipher and macs values in sshd_config on a standard Linux or UNIX host running a standard OpenSSH server implementation. The comma-delimited formatting used for those values in that configuration file can also be used in the values provided to the commands used to set these parameters.

To see a list of the MAC algorithms that can be used with the parameter, run the following command from a host:
 

NOTE:
  • "ivan2" is a default user but any preferred user can be used.
  • "5.6.7.14" is an example IP address of the SFTP enabled NAS server. 
  • This command initiates an SSH connection. Use a ctrl+c key sequence to disconnect when prompted for a password, or respond with "no" if a prompt saying "Are you sure you want to continue connecting?" is received.
# ssh -vvv ivan2@5.6.7.14 2>&1 | grep -E "MAC|cipher"
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
Any of the ciphers listed on the second line should be valid inputs for the cipher parameter change. Any of the algorithms listed on the fourth line should be valid inputs for the MAC parameter change.

In this example, the parameter is set to only allow the hmac-sha2-512-etm@openssh.com MAC algorithm: 
svc_nas ALL -param -f sshd -m mac -v hmac-sha2-512-etm@openssh.com

NOTE: To allow multiple MAC algorithms, use a comma-separated list.
  
svc_nas ALL -param -f sshd -m mac -v hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 
CAUTION: The system may allow you to specify invalid MAC algorithms, locking all users out of the SFTP server. Take care to specify a correct algorithm.

The parameters must be set globally and may require an SP or NAS server reboot to fully take effect. In order to validate that this is working, run an SFTP command specifying a MAC algorithm which was disabled, along with a non-AEAD cipher such as seen below: 
# sftp -oMACs=hmac-sha1 -oCiphers=aes256-ctr ivan2@5.6.7.14
Unable to negotiate with 5.6.7.14 port 22: no matching MAC found. Their offer: hmac-sha2-512-etm@openssh.com
Connection closed.
Connection closed
In the above output, the SFTP server refuses the connection since the HMAC algorithm hmac-sha1 is disabled, and the client is not using AEAD in place of a MAC to provide integrity. Without forcing the non-AEAD MAC, this may still succeed even when forcing a disabled MAC, since the client might ignore the MAC setting anyways when AEAD is in use.

受影响的产品

Dell EMC Unity Family
文章属性
文章编号: 000220538
文章类型: How To
上次修改时间: 28 5月 2025
版本:  4
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。