How the SSH protocol improves security

SSH improves security by providing a means for a storage system to authenticate the client and by generating a session key that encrypts data sent between the client and storage system. SSH performs public-key encryption using a host key and a server key.

Note: SecureAdmin supports password authentication and public-key-based authentication. SecureAdmin does not support the use of a .rhosts file or the use of a .rhosts file with RSA host authentication.

SecureAdmin supports the following encryption algorithms:

RSA/DSA 1024 bit
3DES in CBC mode
HMAC-SHA1
HMAC-MD5

SecureAdmin supports the following SSH clients:

OpenSSH client version 3.4 on UNIX platforms
SSH Communications Security client version 3.2.0 on Windows and UNIX platforms
Vandyke SecureCRT version 5.0 on Windows platforms
PuTTY version 0.52 beta on Windows platforms
F-Secure SSH client version 5.2

SSH uses three keys to improve security:

Host key
SSH uses the host key to encrypt and decrypt the session key. You determine the size of the host key, and Data ONTAP generates the host key when you configure SecureAdmin.
Server key
SSH uses the server key to encrypt and decrypt the session key. You determine the size of the server key when you configure SecureAdmin. If SSH is enabled, Data ONTAP generates the server key when any of the following events occur:
- You start SecureAdmin
- An hour elapses
- The storage system reboots
Session key
SSH uses the session key to encrypt data sent between the client and storage system. The session key is created by the client. To use the session key, the client encrypts the session key using the host and server keys and sends the encrypted session key to the storage system, where it is decrypted using the host and server keys. After the session key is decrypted, the client and storage system can exchange encrypted data.

The following table shows how SecureAdmin creates a secure session between the storage system and client.

Stage	What the client does	What the storage system does
1	The client sends an SSH request to the storage system.	The storage system receives the SSH request from the client.
2		The storage system sends the public portion of the host key, and the server key if SSH 1.`x` is used, to the client.
3	The client stores the public portion of the host key for future host authentication.
4	The client generates a random session key.
5	The client encrypts the session key by using the public portion of the host key, and the server key if SSH 1.`x` is used, and sends it to the storage system.
6		The storage system decrypts the session key using the private portions of the host key, and the server key if SSH 1.`x` is used.
7	The storage system and the client exchange information that they encrypt and decrypt using the session key.

If you are logged into a non-root user account on a client, and you request a list of supported SSH commands on a storage system using the ssh <ip address> ? command, some SSH clients do not pass the ? (question mark) to the storage system. To make sure the client passes the question mark, wrap the ? in quotes, for example, ssh <ip address> ’?’.

Note: Some characters, for example ?, ., *, and ^, can have special meaning for the command interpreter running on the client. The client command interpreter might replace the character with an environment-specific value prior to passing it to the SSH program. To prevent a replacement, use an escape sequence before the character (for example, ssh <ip address> \?) or enclose the character in quotes.

Parent topic: SecureAdmin