SSH Tectia

Defining Server Authentication

Under Server Authentication, you can define server authentication settings as described in Managing Host Keys, Managing CA Certificates, and Managing LDAP Server Settings.

Managing Host Keys

On the Host Keys page, you can view and manage the known public host keys used in server authentication.

Defining server host keys settings

Figure 4.29. Defining server host keys settings

Check for Host Key

You can check if a public host key of a server exists on your client, and view its fingerprint. To check the host key, enter the name of the server in the Host field and the listener port number in the Port field, and click Check.

Note that wildcard characters are not allowed.

A dialog-box shows the host key location and the fingerprint of the public key in the SSH Babble format, consisting of a series of pronounceable five-letter words in lower case and separated by dashes. See an example below.

Server public host key information

Figure 4.30. Server public host key information

For more information on server host keys, see Server Authentication with Public Keys.

Add Host Key

Click the Add User Key button to add new host keys to your own user-specific host key directory. Use the Add Global Key button to add new host keys to the directory common to all users on your computer. The Connection Broker opens a file manager view where you can browse to the appropriate location and select the key you want to copy to the host key directory.

Delete Host Key

In case you want to delete the public key of a Server, enter the name of the Server in the Host field and the listener port number in the Port field, and click Delete.

A dialog box appears asking you to confirm or to cancel the deleting of the host key.

Host Key Options

Select the Strict host key checking check box to define that host keys are NOT saved to the host key directory upon connection, and a connection is automatically refused if the host key has changed. When the Strict host key checking is disabled (as by default), SSH Tectia ConnectSecure logs warnings about changed and new host public keys with their fingerprints in the Event Viewer.

Select the Accept unknown host keys check box to define that new host keys are accepted and saved without prompting the user for acceptance. Note however that changed host keys are accepted for the current connection only, and not saved to the host key database. A warning message is displayed when a changed host key is offered. Information is logged about all accepted host keys.

[Caution]Caution

Consider carefully before enabling Accept unknown host keys. Disabling the host-key checks can make you vulnerable to a man-in-the-middle attack.

Select the Always show host key prompt check box to define that the user will always be prompted for host key acceptance, even when the host key is known.

The host key options are disabled by default.

Managing CA Certificates

On the Certificates page, you can manage trusted CA certficates.

For more information on server certificate authentication, see Server Authentication with Certificates.

Defining CA certificates

Figure 4.31. Defining CA certificates

The following fields are displayed on the CA certificate list:

  • Issued to: The certification authority to whom the certificate has been issued.

  • Issued by: The entity who has issued the CA certificate.

  • Expiration date: The date that the CA certificate will expire.

  • Filename: The file containing the CA certificate.

CRL Checking

Select the Disable check box to prevent the use of a certificate revocation list (CRL). A CRL is used to check if any of the used server certificates have been revoked.

[Note]Note

Disabling CRL checking is a security risk and should be done for testing purposes only.

OCSP responder URL

The OCSP Responder Service provides client applications a point of control for retrieving real-time information on the validity status of certificates using the Online Certificate Status Protocol (OCSP).

For the OCSP validation to succeed, both the end-entity (=Secure Shell server) certificate and the OCSP responder certificate must be issued by the same CA. If the certificate has an Authority Info Access extension with an OCSP Responder URL, it is only used if there are no configured OCSP responders. It is not used if any OCSP responders have been configured.

If an OCSP responder is defined in the configuration file or in the certificate, it is tried first; only if it fails, traditional CRL checking is tried, and if that fails, the certificate validation returns a failure.

Enable endpoint identity check

Specifies whether the client will verify the server's hostname or IP address against the Subject Name or Subject Alternative Name (DNS Address) specified in the server host certificate. By default, Enable endpoint identity check is enabled.

If this check box is not selected, the fields in the server host certificate are not verified and the certificate is accepted based on the validity period and CRL check only.

[Caution]Caution

Disabling the endpoint identity check on the client is a security risk. Then anyone with a certificate issued by the same trusted CA that issues the server host certificates can perform a man-in-the-middle attack on the server.

Enable DOD PKI compliancy

This element defines whether the certificates are required to be compliant with the DoD PKI (US Department of Defense Public-Key Infrastructure).

Endpoint domain

Specify the default domain used in the end-point identity check. This is the default domain part of the remote system name and it is used if only the base part of the system name is available.

If the default domain is not specified, the end-point identity check fails, for example, when a user tries to connect to a host "tower" giving only the short hostname and the certificate contains the full DNS address "tower.example.com".

HTTP proxy URL

Specify the HTTP proxy used when making LDAP or OCSP queries for certificate validity.

The format of the address is "http://username@proxy_server:port/network/netmask,network/netmask... ". The network/netmask part is optional and defines the network(s) that are connected directly (without the proxy).

SOCKS server URL

Specify the SOCKS server used when making LDAP or OCSP queries for certificate validity.

The format of the address is "socks://username@socks_server:port/network/netmask,network/netmask... ". The network/netmask part is optional and defines the network(s) that are connected directly (without the SOCKS server).

Managing LDAP Server Settings

On the LDAP Servers page, you can define LDAP servers used for fetching CRLs and/or subordinate CA certificates based on the issuer name of the certificate being validated.

CRLs are automatically retrieved from the CRL distribution point defined in the certificate to be verified if the point exists.

Defining LDAP servers

Figure 4.32. Defining LDAP servers

To add an LDAP server, click the Add... button. Define the hostname and port for the server.

Adding an LDAP server

Figure 4.33. Adding an LDAP server

To edit an LDAP server, select the server from the list and click Edit.

To delete an LDAP server, select the server from the list and click Delete.

Managing CRL Prefetch Settings

On the CRL Prefetch page, you can define certificate revocation lists (CRLs) to be fetched from the defined location at regular intervals. The CRL distribution point can be either a standard format LDAP or HTTP URL, or it can refer to a file. The file format must be either binary DER or base64, PEM is not supported.

CRLs are automatically retrieved from the CRL distribution point defined in the certificate to be verified if the point exists.

Defining CRL prefetch settings

Figure 4.34. Defining CRL prefetch settings

To add a CRL prefetch address, click Add.... The CRL Prefetch dialog box opens.

Adding a CRL prefetch setting

Figure 4.35. Adding a CRL prefetch setting

Enter the URL of the CRL distribution point and the Interval how often the CRL is downloaded and click OK. The default download interval is 3600 (seconds).

In case the CRL distribution point refers to a file, enter the file URL in this format:

file:///absolute/path/name

To edit an existing CRL prefetch setting, select the setting from the list and click Edit.

To delete an existing CRL prefetch setting, select the setting from the list and click Delete.