Secure The Ssh/Sftp Service; Supported Ssh/Sftp Accounts; Ssh/Sftp Authentication; Table 6-8: Security Keys - ABB RMC-100 User Manual

6.7

Secure the SSH/SFTP service

RMC devices implement the Secure Shell (Secure Shell, SSH) and Secure File Transfer Protocol
(Secure File Transfer Protocol, SFTP) service. This provides secure shell login access and file transfer
capability from a client PC or laptop.
SSH and SFTP provides secure access, instead of the unsecured access of Telnet and FTP in earlier
device generations.
SSH/SFTP communication is client-server based. The SSH/SFTP server is implemented in the Totalflow
device. The SSH/SFTP client is implemented in third-party software on the computer that
communicates with the device.
When the SSH/SFTP service is enabled, the SSH/SFTP server initializes and enters listening mode.
When the server is in listening mode, it can process requests for connection from SSH/SFTP clients.
The service grants connections only to properly authenticated clients.
6.7.1

Supported SSH/SFTP accounts

The table below lists the three SSH/SFTP accounts. Customers can access the Totalflow-user account,
which is read-only. The developer and tech-support accounts are only available to ABB personnel for
service and troubleshooting, or to advanced users and cybersecurity managers who want to generate
private keys to replace factory default keys.
IMPORTANT NOTE: Call ABB Customer Support on the last page of this manual to request
Totalflow-user account default private keys. See the SSH and SFTP service overview topic in PCCU
online help for instructions to establish read-only SFTP connections.

Table 6-8: Security keys

Account Access
Name privileges
Totalflow- Only SFTP
user access
(Read-only)
Developer Full SSH/SFTP
access
(Read-write)
Tech support Full SSH/SFTP
access
(Read-write)
6.7.2

SSH/SFTP authentication

Session keys encrypt the communication between the client and the SSH/SFTP server to provide
security. Authentication requires specific private-public key pairs for the type of access. ABB provides
default private keys and passphrases to customers upon request. ABB stores the default public keys at
the factory in a protected storage location on the device's flash. They remain unchanged by updates of
any of the device software components.
To request a connection to the SSH/SFTP service, provide the private key and passphrase. The service
compares the private key with the public key stored in the Totalflow device. If the keys pair correctly,
the connection is successful.
IMPORTANT NOTE: Private keys do not ship with the product or user interface software. ABB
keeps the keys and credentials safely stored. Request keys for SSH/SFTP access. Enable the service
only if necessary.
1 1 0 | R MC-1 00 | 2 10 5 55 2MN A E
Default keys Access
Totalflow-user The following folders and their contents are available
private key for download:
–
–
–
–
Developer All file system
private key
Tech support All file system
private key
Crash Dumps
Flash: Main Totalflow application (App), Factory
configuration, Startup (cold) configuration
Logs: System and device loader log files
tfData: Running (warm) configuration files