Manualshelf

White Papers

ManualsBrandsDell ManualsActive System ManagerDRAC4 Version 1.70
891011121314151617
PAGE 15 OF 17
SSH Security
The SSH service is enabled by default on DRAC 4. The RACADM CLI can be run in SSH. The
SSH service can be disabled using DRAC 4 configuration setting. DRAC 4 only supports SSH
version 2.
DRAC 4 supports DSA and RSA host key algorithms. A unique 1024-bit DSA and 1024-bit
RSA host key is generated during a DRAC 4 the first time that power is turned on.
DRAC 4 SSH supports:
The SHA-1 and MD5 hash algorithm
The Diffie-hellman-group1-sha1 key exchange algorithm
The DSA public key (asymmetric encryption) algorithm
3DES-CBC, RC4, AES-128, AES-192, AES-256 symmetric encryption
DRAC 4 SSH only supports password user authentication.
SNMP Security
An SNMP agent runs on a DRAC 4 by default. The DRAC 4 SNMP agent is used by Dell
OpenManage™ IT Assistant or other management frameworks to discover the DRAC 4 out-of-
band service point such as a web GUI URL. DRAC 4 only supports SNMP version 1. Since
SNMP version 1 does not encrypt data and does not have a strong authentication protocol,
there could be security concerns about the data leaking from DRAC 4 (for example, service
tag of a system or IP address of DRAC 4, and so on).
Note: Dell strongly recommends using one of the following options to secure the DRAC 4
card from these concerns:
If the DRAC 4 SNMP agent is not being used in your environment, administrators
can disable the DRAC 4 SNMP service.
Change the DRAC 4 SNMP community name to secure their SNMP service. The
default DRAC 4 SNMP community name is “public.”
Virtual Media Security
Virtual media is a powerful remote access feature that allows a remote user to use a remote
CD/floppy/image on the client side through the network. Administrators can use this feature for
various administrative tasks such as remote operating system installation, remote diagnostics,
remote driver/application software installation, and so on.
A security authentication protocol is being used in the virtual media connection when a user
logs into a DRAC 4 web server using HTTPS with virtual media privilege and selects the virtual
media tab or uses the VMCLI utility. A request for a connection request command is sent to
the DRAC 4 firmware. The DRAC 4 firmware responds by sending a set of virtual media
configuration information along with an authentication key using the HTTPS (SSL encrypted)
channel. The authentication key is randomly generated and is 16 bytes long. To prevent replay
attacks, the authentication key is a one-time key and has its own limited lifetime. If it passes
the virtual media server authentication, a virtual media session is established. If it does not
pass, an authentication failure message is sent back to a client and the connection is dropped.
To keep the virtual media operation going and still have session idle timeout security, DRAC 4
locks the web session when a virtual media operation is running and the web session is timed
out. A user needs to re-authenticate to unlock the web session after session timeout. The
virtual media operation will not be interrupted during the lock-out period.