Table of ContentsView in Frames

Understanding the SSH protocol

The Secure Shell (SSH) protocol performs public-key encryption using a host key and a server key. SSH improves security by providing a means for the storage system to authenticate the client and by generating a session key that encrypts data sent between the client and storage system.

The SSH server version running on Data ONTAP is Data ONTAP SSH version 1.0. For information about the Common Vulnerabilities and Exposures (CVE) fixes implemented in Data ONTAP, see the Suspected Security Vulnerabilities page on the NetApp Support Site.

Data ONTAP supports the SSH 1.x protocol and the SSH 2.0 protocol.

Data ONTAP supports the following SSH clients:

SSH uses three keys to improve security:

The following table shows how Data ONTAP creates a secure session between the storage system and client.

Stage What the client does What the storage system does
1 The client sends an SSH request to the storage system. The storage system receives the SSH request from the client.
2 The storage system sends the public portion of the host key, and the server key if SSH 1.x is used, to the client.
3 The client stores the public portion of the host key for future host authentication.
4 The client generates a random session key.
5 The client encrypts the session key by using the public portion of the host key, and the server key if SSH 1.x is used, and sends it to the storage system.
6 The storage system decrypts the session key using the private portions of the host key, and the server key if SSH 1.x is used.
7 The storage system and the client exchange information that they encrypt and decrypt using the session key.
Note: Some characters, such as question mark (?), period (.), asterisk (*), and caret (^), can have special meaning for the command interpreter running on the client. The client command interpreter might replace the character with an environment-specific value prior to passing it to the SSH program. To prevent a replacement, you can use an escape sequence before the character (ssh ip_address \?) or enclose the character in quotes (ssh ip_address '?').

Data ONTAP supports password authentication and public-key-based authentication. It does not support the use of a .rhosts file or the use of a .rhosts file with RSA host authentication.

Data ONTAP supports the following encryption algorithms: