What is the length of the ecdsa crypto key 521 or 256?

[amadorloureiro]

Page URL

https://docs.netapp.com/us-en/ontap-systems-switches/switch-cisco-9336c-fx2/configure-ssh.html

Page title

Enable SSH on Cisco 9336C-FX2 cluster switches

Summary

Is this ECDSA key gen. correct for 521? At https://docs.netapp.com/us-en/ontap-systems-switches/switch-cisco-9336c-fx2/configure-ssh.html and https://docs.netapp.com/us-en/ontap/networking/configure_network_security_using_federal_information_processing_standards_@fips@.html we can see ecdsa-sha2-nistp256 as "Supported key types" for FIPS."

Actually, I was able to resolve an issue with a "crypto key generate ecdsa 256 force" (to "overwrite" the existing 521)

Public issues must not contain sensitive information

• [X] This issue contains no sensitive information.

[netapp-yvonneo]

@amadorloureiro thanks for your feedback. We'll review the documentation and update the docs accordingly.

[netapp-yvonneo]

@amadorloureiro the Enable SSH topic mentioned here is specific to Broadcom switches only, it isn't applicable to Cisco switches. A new topic for Cisco Nexus switches is now available in relation to SSH and is available here: https://docs.netapp.com/us-en/ontap-systems-switches/switch-cisco-9336c-fx2/configure-ssh-keys.html

Regarding your feedback, keys for Cisco Nexus 9336C-FX2 switches are generated and enabled in the RCF:

** Keyless SSH for SHM **

ssh key ecdsa 521

Hopefully this clarifies the issue for you. Thanks again for contacting us and helping us improve our customer documentation.

[amadorloureiro]

I am very sorry. I thought that the links shared by me above were all for Cisco and not BES.

Is that "ssh key ecdsa 521" correct OR should it be "ssh key ecdsa 256" to match the support keys mentioned at https://docs.netapp.com/us-en/ontap/networking/configure_network_security_using_federal_information_processing_standards_@fips@.html for FIPS systems?

[netapp-yvonneo]

@amadorloureiro, let me check and get back to you.

[amadorloureiro]

[like] Loureiro, Amador reacted to your message:

---

From: netapp-yvonneo @.> Sent: Wednesday, September 25, 2024 2:01:30 PM To: NetAppDocs/ontap-systems-switches @.> Cc: Loureiro, Amador @.>; Mention @.> Subject: Re: [NetAppDocs/ontap-systems-switches] What is the length of the ecdsa crypto key 521 or 256? (Issue #207)

EXTERNAL EMAIL - USE CAUTION when clicking links or attachments

@amadorloureirohttps://github.com/amadorloureiro, let me check and get back to you.

— Reply to this email directly, view it on GitHubhttps://github.com/NetAppDocs/ontap-systems-switches/issues/207#issuecomment-2374180650, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AROKBVCXKXP64E3RHFN5O5DZYK63VAVCNFSM6AAAAABNW4S44KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZUGE4DANRVGA. You are receiving this because you were mentioned.Message ID: @.***>

[netapp-yvonneo]

@amadorloureiro so I've just checked with Engineering and what's in the RCF is correct for the switch. What you have in https://docs.netapp.com/us-en/ontap/networking/configure_network_security_using_federal_information_processing_standards_@fips@.html#enable-fips is ONTAP specific. "ssh key ecdsa 521" is in relation to the switch, meaning the ssh crypto key is size 512. If you want to login to ONTAP, you only support those keys listed on the page. Hope this clarifies the issue for you. Thanks

[amadorloureiro]

My comment was in relation to the CONTAP-249562. Can you please check that with engineering?

[netapp-yvonneo]

I'll pass it onto them now for clarification!