The Secure Shell (SSH) protocol performs public-key encryption using a host key and a server key. SSH improves security by providing a means for the storage system to authenticate the client and by generating a session key that encrypts data sent between the client and storage system.
The SSH server version running on Data ONTAP is Data ONTAP SSH version 1.0. For information about the Common Vulnerabilities and Exposures (CVE) fixes implemented in Data ONTAP, see the Suspected Security Vulnerabilities page on the NetApp Support Site.
Data ONTAP supports the SSH 1.x protocol and the SSH 2.0 protocol.
Data ONTAP supports the following SSH clients:
SSH uses three keys to improve security:
SSH uses the host key to encrypt and decrypt the session key. You determine the size of the host key, and Data ONTAP generates the host key when you configure SecureAdmin.
SSH uses the server key to encrypt and decrypt the session key. You determine the size of the server key when you configure SecureAdmin. If SSH is enabled, Data ONTAP generates the server key when any of the following events occur:
SSH uses the session key to encrypt data sent between the client and storage system. The session key is created by the client. To use the session key, the client encrypts the session key using the host and server keys and sends the encrypted session key to the storage system, where it is decrypted using the host and server keys. After the session key is decrypted, the client and storage system can exchange encrypted data.
The following table shows how Data ONTAP creates a secure session between the storage system and client.
|Stage||What the client does||What the storage system does|
|1||The client sends an SSH request to the storage system.||The storage system receives the SSH request from the client.|
|2||The storage system sends the public portion of the host key, and the server key if SSH 1.x is used, to the client.|
|3||The client stores the public portion of the host key for future host authentication.|
|4||The client generates a random session key.|
|5||The client encrypts the session key by using the public portion of the host key, and the server key if SSH 1.x is used, and sends it to the storage system.|
|6||The storage system decrypts the session key using the private portions of the host key, and the server key if SSH 1.x is used.|
|7||The storage system and the client exchange information that they encrypt and decrypt using the session key.|
Data ONTAP supports password authentication and public-key-based authentication. It does not support the use of a .rhosts file or the use of a .rhosts file with RSA host authentication.
Data ONTAP supports the following encryption algorithms: