When the host key is received during the first connection to a remote host (or when the
host key has changed) and you choose to save the key, its file name is stored in hashed
format, keys_hhh...
, where hhh
is a hash of the
host port and name. The saved file contains a hash of the host's public key. A salt is
included in the hash calculations. The value of the salt is stored in the file
salt
in the same directory as the host keys
($HOME/.ssh2/hostkeys
on Unix,
%APPDATA%\SSH\HostKeys
on Windows). The hashed
host key format is a security feature to make address harvesting on the hosts
difficult.
In the plain (traditional) format, the name of a host key file includes the host's name
and port, as in key_22_host.example.com.pub
, and the file contains the
host's public key in plaintext format.
The storage format can be controlled with the filename-format
attribute of the known-hosts
element of the
ssh-broker-config.xml
configuration file. The attribute value must be
plain
or hash
(default).
<known-hosts path="$HOME/.ssh2/hostkeys" filename-format="plain" />
If you are adding the keys manually, the keys should be named with the
key_<port>_<host>.pub
pattern, where
<port>
is the port the Secure Shell server is running on
and <host>
is the host name you use when connecting to the
server (for example, key_22_alpha.example.com.pub
).
If both the hashed and plaintext format keys exist, the hashed format takes precedence.
Note that the host identification is different based on the host name and port the client is connecting to. The host name can occur in four different formats:
Fully qualified domain name (FQDN)
Short host name
IPv4 address
IPv6 address
The host key for each name format has to be saved separately, as they are not mutually exchangeable.
The host key is saved under the host name format used in the login. For example, if you
want to use all the host name formats when connecting to a remote host named
alpha
, connect to the host first with the following commands
and save the host key under all four names:
sshg3 user@alpha
produces the key with the short host name (in plain format
key_22_alpha.pub
)
sshg3 user@alpha.example.com
produces the key with FQDN (in plain format
key_22_alpha.example.com.pub
)
sshg3 user@10.1.101.10
produces the key with IPv4 address (in plain format
key_22_10.1.101.10.pub
)
sshg3 user@fd00:10:1:103::1:2f69
produces the key with IPv6 address (in plain format
key_22_fd000010000101030000000000012f69.pub
)
When connecting to a server using its IPv6 address, the IPv6 address given to
Tectia ConnectSecure is canonicalized without the colons, and the canonical format is used in the
known host key file name. For example, the plain format host key file for
::1#10022
would be
key_10022_00000000000000000000000000000001.pub
. The canonical format
is also used in the process of saving and reading hashed host keys.
Also if you need to connect to the same host but different port, your client needs a
separate host key for that purpose; for example key_22_alpha.pub
and key_222_alpha.example.com.pub
.
After the first connection, the locally stored information about the server public key will be used in server authentication.