SSH

Manual Rotation Example using RSA Host Keys

  1. After upgrade create a new RSA host key hostkey_new in Tectia Server Configuration GUI → Identity → Generate key

    Or on command-line:

    ssh-keygen-g3 -H -P hostkey_new
  2. Advertise Current and New Host Key During Renewal Period Before Rotation

    In Tectia Server Configuration GUI → Identity → Edit hostkey and hostkey_new

    Change Advertise to Yes for both current host key and new host key so that they are advertised to secure shell clients and Apply to reload the configuration.

    The current host key is used in server authentication and new host key is saved on the client-side for future use by the clients that support this. Note that if current host key has Advertise set to No (default), then clients will remove it prematurely and the next connection will result in save host key prompt.

    Or edit ssh-server-config.xml

    <hostkey advertise="yes">
       <private file="C:\Program Files (x86)\SSH Communications Security\
                      SSH Tectia\SSH Tectia Server\hostkey" />
       <public file="C:\Program Files (x86)\SSH Communications Security\
                     SSH Tectia\SSH Tectia Server\hostkey.pub" />
    </hostkey>               

    To reconfigure Tectia Server on command-line:

    ssh-server-ctl reload
  3. Monitor Tectia Server Logs

    Tectia Server logs Hostkey-advert-accepted informational audit message when a client saves advertised new host key and server has proved ownership. These messages can be used to track the adoption of the new host key in the environment over time.

    132 Hostkey_advert_accepted, Username: <authenticated_user>,
    Src IP: 127.0.0.1, Src Port: 50737, "xicaz-...-saxux",
    "SHA-256: gThQLwq2eiVIRd3T8X4JElNr9SGa7WRcUX93Audbe2I", Session-Id: 147,
    Protocol-session-Id: C85232F7554FBB5814ADAAD6D8E0...
  4. Host Key Rotation

    When Tectia Server’s old key is removed from configuration and new key taken into active use, any secure shell clients that have not connected during the renewal period or clients that do not support or do not have Host Key Rotation / UpdateHostKeys enabled and have previously connected and saved the old host key to known hosts fail to connect or prompt a host key changed warning.

    In Tectia Server Configuration GUI→Identity→Delete “hostkey” to remove the old key from configuration and Apply to reload the configuration so that the hostkey_new becomes the current host key.

    Or edit ssh-server-config.xml so that only hostkey_new key pair is specified:

                        <hostkey advertise="yes">
       <private file="C:\Program Files (x86)\SSH Communications Security\
    SSH Tectia\SSH Tectia Server\hostkey_new" />
       <public file="C:\Program Files (x86)\SSH Communications Security\
    SSH Tectia\SSH Tectia Server\hostkey_new.pub" />
     </hostkey>
                    

    To reconfigure Tectia Server on command-line:

    ssh-server-ctl reload

    Rename hostkey to hostkey_removed and hostkey.pub to hostkey_removed.pub in installation directory so that it is not accidentally taken into use if Tectia Server is started without configuration file. Note also that next Tectia Server upgrade will automatically generate a new hostkey if the file with this name does not already exist.

    If the current hostkey_new is advertised, then after successful user authentication clients that support and allow this in configuration will automatically remove from known hosts any host keys that are no longer advertised.

    Tectia Client 6.4.19 has Host Key Policy Rotation enabled by default when connecting to Tectia servers only and Tectia Client attempts to remove the old keys from all known host key locations. On the client-side the following command can be used to view keys in local host key store(s):

    ssh-keygen-g3 -F host_id

    where host_id is hostname or address#port