Reference Guide

● SSH Management – A SSH settings page that you can access from the PowerStore Manager (click Settings and under

Security select SSH Management).

● REST API server – Application interface that can receive REST API requests to configure SSH settings. For more

information about the REST API, refer to the PowerStore REST API Reference Guide.

● svc_service_config – A service command that you can enter directly as the service user on the appliance. For more

information about this command, refer to the PowerStore Service Scripts Guide.

To determine the status of SSH on appliances within a cluster, in the PowerStore Manager, click Settings and under Security

select SSH Management. You can also enable or disable SSH on one or more appliances that you select.

Once the SSH service has been successfully enabled, use any SSH client to log in to the appliance IP address. Accessing the

appliance requires service user credentials.

The service account enables users to perform the following functions:

● Perform specialized appliance service scripts for monitoring and troubleshooting appliance system settings and operations.

● Operate only a limited set of commands that are assigned as a member of a non-privileged Linux user account in restricted

shell mode. This account does not have access to proprietary system files, configuration files, or user or customer data.

For maximum appliance security, it is recommended to leave the external SSH service interface disabled at all times unless it is

specifically needed to perform service operations on the appliance. After performing the necessary service operations, disable

the SSH interface to ensure that the appliance remains secure.

SSH sessions

The PowerStore SSH service interface sessions are maintained according to the settings established by the SSH client. Session

characteristics are determined by the SSH client configuration settings.

Service account password

The service account is an account that service personnel can use to perform basic Linux commands.

During initial configuration of the appliance, you must change the default service password. The service password restrictions

are the same as those that apply to the System management accounts (see Username and password usage on page 7).

SSH authorization

Service account authorization is based on the following:

● Application isolation – PowerStore software uses container technology that provides application isolation. Appliance service

access is provided by the service container, only a set of service scripts and a set of Linux commands are available. The

service account does not have the ability to access other containers which serve file system and block I/O to users.

● Linux file system permissions – Most Linux tools and utilities that modify system operation in any way are not available for

the service user, it requires superuser account privileges. Since the service account does not have such access rights, the

service account cannot use Linux tools and utilities to which it does not have execute permissions and cannot edit

configuration files that require root access to read or modify, or both.

● Access controls – Besides application isolation provided by container technology, the access control list (ACL) mechanism

on the appliance uses a list of very specific rules to explicitly grant or deny access to system resources by the service

account. These rules specify service account permissions to other areas of the appliance that are not otherwise defined by

standard Linux file system permissions.

Appliance service scripts

A set of problem diagnostic, system configuration, and system recovery scripts are installed on the appliance's software version.

These scripts provide an in-depth level of information and a lower level of system control than is available through PowerStore

Manager. The PowerStore Service Scripts Guide describes these scripts and their common use cases.

Authentication and access