HP StorageWorks MSA 2.8 SAN Switch User Manual
Page 94
 
Basic Security in FOS
94
Fabric OS Procedures Version 3.1.x/4.1.x User Guide
prevent, or even detect, these attempts to sniff passwords. Secure Shell (SSH), is 
an alternative to Telnet, and uses strong encryption to prevent password sniffing 
and enhance the privacy of the management link. 
SSH encrypts all messages, including the client sending the password at login 
time. This is a significant improvement over the basic telnet and sectelnet, which 
encrypts only the login password. The SSH package contains a daemon (sshd) 
which runs on the switch, and is very similar to telnetd except that all messages 
are encrypted. The SSH daemon supports a wide variety of encryption algorithms, 
such as Data Encryption Standard (DES), AES, etc.
The daemon requires keys (public/private) for encryption. These keys are 
generated by a program called ssh-keygen when the openssh RPM is installed. 
The keys are saved to files in /etc directory and sshd will read them on startup. 
Supported Versions and Features:
■
officially support ssh2. ssh2 uses DSA key for authentication. The DSA 
authentication key is 1024 bits.
■
The daemon will run under root identity.
■
A user cannot save their public keys on the switch. A password is the only 
method of authentication.
■
the following default ciphers for session encryption are supported: 
AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4.
■
the following HMACs are supported: HMAC-MD5, HMAC-SHA1, 
HMAC-SHA1-96, HMAC-MD5-96. 
Note:
If you telnet to another machine, and then start a SSH session inside that telnet
session, the telnet traffic is still in clear text and not secure.
Note:
The FTP protocol is not secure. When you FTP to or from the switch, the contents
are in clear text. This includes the remote FTP server's login and password. This
limitation affects the following commands:
savecore
,
configupload
,
configdownload
, and
firmwaredownload
.