Table of Contents
Tectia Server version 6.4.19 has a feature to help with changing the host keys on the client side. To use it, you can configure host key rotation on the server-side. This will allow clients that authenticate the server with the old host key to save the new host key after successful user authentication and delete the old one once the old key is removed on the server-side, for example after 3 months. This feature requires a Tectia client version 6.4.19 that has Host Key Policy Rotation enabled (by default enabled when connecting to Tectia servers only) or a OpenSSH client version 6.8 or above that has UpdateHostKeys enabled.
Change host key without advertising it first. All secure shell clients that have previously connected and saved the old host key to known hosts fail to connect or prompt a host key changed warning.
Time-based key generation, advertising and rotation that changes the host key
hostkey (current advertised and used as server identity)
hostkey.next (new advertised)
hostkey.old (previous hostkey that has been removed from configuration)
Same algorithm and key size as the current hostkey
Must not be enabled for Tectia Server cluster nodes
Server_hostkey_rotation_started and Server_hostkey_rotation audit messages
Administrator controls new key generation, advertising and changing the host key
Host key algorithm or key size can be different for new key
If Tectia Server is part of a cluster the new host key has to be shared on all nodes and advertising needs to be enabled and disabled for all keys on a node. Advertising must not be enabled on other node unless it has the same current and new host keys. Also, advertising must be disabled for all keys on a node before new key is taken into active use and advertising can only be enabled again once all nodes have taken the same new key into active use.