SSH

Appendix H Changing the Host Key of Tectia Server

Table of Contents

Host key Algorithm in Manual Host Key Rotation
Manual Rotation Example using RSA Host Keys
Fingerprints
Replacing Host Public Key on Client-Side
z/OS Example
Windows Tectia Client Example

Tectia Server version 6.4.19 has a feature to help with changing the host keys on the client side. To use it, you can configure host key rotation on the server-side. This will allow clients that authenticate the server with the old host key to save the new host key after successful user authentication and delete the old one once the old key is removed on the server-side, for example after 3 months. This feature requires a Tectia client version 6.4.19 that has Host Key Policy Rotation enabled (by default enabled when connecting to Tectia servers only) or a OpenSSH client version 6.8 or above that has UpdateHostKeys enabled.

Quick Comparison:

Manual Change
  • Change host key without advertising it first. All secure shell clients that have previously connected and saved the old host key to known hosts fail to connect or prompt a host key changed warning.

Automatic Rotation
  • Time-based key generation, advertising and rotation that changes the host key

  • hostkey (current advertised and used as server identity)

  • hostkey.next (new advertised)

  • hostkey.old (previous hostkey that has been removed from configuration)

  • Same algorithm and key size as the current hostkey

  • Must not be enabled for Tectia Server cluster nodes

  • Server_hostkey_rotation_started and Server_hostkey_rotation audit messages

Manual Rotation
  • Administrator controls new key generation, advertising and changing the host key

  • Host key algorithm or key size can be different for new key

  • If Tectia Server is part of a cluster the new host key has to be shared on all nodes and advertising needs to be enabled and disabled for all keys on a node. Advertising must not be enabled on other node unless it has the same current and new host keys. Also, advertising must be disabled for all keys on a node before new key is taken into active use and advertising can only be enabled again once all nodes have taken the same new key into active use.