SSH improves security by providing a means for a storage system to authenticate the client and by generating a session key that encrypts data sent between the client and storage system. SSH performs public-key encryption using a host key and a server key.
SSH uses the host key to encrypt and decrypt the session key. You determine the size of the host key, and Data ONTAP generates the host key when you configure SecureAdmin.
SSH uses the session key to encrypt data sent between the client and storage system. The session key is created by the client. To use the session key, the client encrypts the session key using the host and server keys and sends the encrypted session key to the storage system, where it is decrypted using the host and server keys. After the session key is decrypted, the client and storage system can exchange encrypted data.
Stage | What the client does | What the storage system does |
---|---|---|
1 | The client sends an SSH request to the storage system. | The storage system receives the SSH request from the client. |
2 | The storage system sends the public portion of the host key, and the server key if SSH 1.x is used, to the client. | |
3 | The client stores the public portion of the host key for future host authentication. | |
4 | The client generates a random session key. | |
5 | The client encrypts the session key by using the public portion of the host key, and the server key if SSH 1.x is used, and sends it to the storage system. | |
6 | The storage system decrypts the session key using the private portions of the host key, and the server key if SSH 1.x is used. | |
7 | The storage system and the client exchange information that they encrypt and decrypt using the session key. |
If you are logged into a non-root user account on a client, and you request a list of supported SSH commands on a storage system using the ssh <ip address> ? command, some SSH clients do not pass the ? (question mark) to the storage system. To make sure the client passes the question mark, wrap the ? in quotes, for example, ssh <ip address> ’?’.