HP StorageWorks MSA 2.8 SAN Switch User Manual

Basic Security in FOS

94

Fabric OS Procedures Version 3.1.x/4.1.x User Guide

prevent, or even detect, these attempts to sniff passwords. Secure Shell (SSH), is
an alternative to Telnet, and uses strong encryption to prevent password sniffing
and enhance the privacy of the management link.

SSH encrypts all messages, including the client sending the password at login
time. This is a significant improvement over the basic telnet and sectelnet, which
encrypts only the login password. The SSH package contains a daemon (sshd)
which runs on the switch, and is very similar to telnetd except that all messages
are encrypted. The SSH daemon supports a wide variety of encryption algorithms,
such as Data Encryption Standard (DES), AES, etc.

The daemon requires keys (public/private) for encryption. These keys are
generated by a program called ssh-keygen when the openssh RPM is installed.
The keys are saved to files in /etc directory and sshd will read them on startup.

Supported Versions and Features:

■

officially support ssh2. ssh2 uses DSA key for authentication. The DSA
authentication key is 1024 bits.

■

The daemon will run under root identity.

■

A user cannot save their public keys on the switch. A password is the only
method of authentication.

■

the following default ciphers for session encryption are supported:
AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4.

■

the following HMACs are supported: HMAC-MD5, HMAC-SHA1,
HMAC-SHA1-96, HMAC-MD5-96.

Note:

If you telnet to another machine, and then start a SSH session inside that telnet

session, the telnet traffic is still in clear text and not secure.

Note:

The FTP protocol is not secure. When you FTP to or from the switch, the contents

are in clear text. This includes the remote FTP server's login and password. This

limitation affects the following commands:

savecore

,

configupload

,

configdownload

, and

firmwaredownload

.