Manualshelf

HP 3PAR InForm OS Common Criteria Administrator's Reference (QL226-96586, October 2012)

ManualsBrandsHP ManualsComputer AccessoriesHP 3PAR InForm T400/4x300GB 15K SAS Magazine E-LTU
11121314151617181920
15 Operating in Common Criteria Mode
SSH Client Usage
The InForm OS includes an SSH server. The following are Common Criteria-relevant
recommendations for configuring SSH clients and user environments when communicating
with the HP 3PAR Storage System.
The InForm OS supports several key exchange algorithms for securing the channel:
diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-
exchange-sha1, and diffie-hellman-group-exchange-sha256. Some clients allow for
setting the “preferred” key exchange protocol. If your client allows you to do this, set it
to use diffie-hellman-group14-sha1 or diffie-hellman-group-exchange-sha256.
If you use a public key pair for authentication with the SSH server, you should do so
only if you are a local user (see “LDAP Server Configuration” on page 14). The public
key pair should be a RSA key of 2048 bits or greater. Private keys on the client side
must be adequately protected by using a passphrase to encrypt the key or with strict
file system protections (or both). Compromise of the private key allows the user to be
impersonated.
CLI Password Protection
As with Public/Private key pairs for SSH authentication, a user’s password must be
protected. The setpassword CLI command includes options for saving the encrypted
password into a local file on the client side. If this file is not adequately protected, and is
compromised, the user can be impersonated.
Similarly, when scripting CLI usage, use the user, password and pwfile operands
with caution to protect the plaintext or encrypted password from compromise via the
script. Items to be particularly aware of are:
Using the password operand requires the encrypted password to be appended to
the parameter. This exposes the encrypted password, since the script can be read by
anyone that runs it.
Using the pwfile operand is a safer alternative to password. However, anyone
that can execute a script containing pwfile can also read the target of pwfile,
meaning that the encrypted password is again compromised.
Lastly, if using command line invocations with the password operand, take care to
protect the command history of the shell since the encrypted password is included in the
history. If command history is readable by others, the encrypted password can be easily
compromised.