SSH

Identity

The Identity page is used to specify the host keys and host certificates that identify the server to the clients.

Tectia Server Configuration - Identity page

Figure 4.12. Tectia Server Configuration - Identity page


Configured keys are listed here with tags to show some of their features, along with controls to edit or delete them.

Edit

This opens the same host key dialog screen as the Add key button. For more information about the dialog, see the Add key section below.

Delete

Remove the selected host-key files from configuration.

Add key

Opens a dialog in which you can add a host key. The same dialog screen opens when you click on the Edit key next to a listed key.

You can add a private and/or public host-key file by clicking the Browse button next to the associated text field. The Select File dialog appears, allowing you to find and specify the desired file. You can also type the path and file name directly into the text field.

The default private-key file is hostkey, located in the installation directory ("<INSTALLDIR>\SSH Tectia Server", see Directory Paths). The private-key file and directory should have full permissions for the Administrators group and the SYSTEM account and no other permissions.

If the public key is not specified, it will be derived from the private key. However, specifying the public key will decrease the start-up time for the software, as deriving the public key is a fairly slow operation. If the public key is a certificate, the dialog will display a View certificate button.

The dialog will display the key fingerprints in SHA-256, Babble, and RFC 4716 formats.

Under the attributes you can set options for server host-key rotation. Filling in the automatic key-rotation period will enable key rotation for the selected key; once the key-rotation time is reached, the key will be rotated according to standard key-rotation rules. The key-rotation margin will specify for how long the new key will be advertised to the clients before the key is rotated. To learn more about key rotation, see Key rotation.

Generate key

Click the Generate key button to generate a new RSA/ECDSA/Ed25519 host key pair. This launches the ssh-keygen-g3.exe command-line tool and generates an RSA/ECDSA/Ed25519 key pair. The default length of the generated key pair is 3072 bits for RSA, 384 bits for ECDSA, and 256 bits for Ed25519 keys.

You can generate the key pairs, including deprecated DSA host key if needed, also manually with a command line tool. See instruction in ssh-keygen-g3(1).

[Note]Note

Note that the server will only use the first key of a given type as a host key. Different key types can be used as host keys at the same time, but the server only uses the first key of each type as a host key.

Add external key

Opens a dialog in which you can specify an external host key to be used. The fields are Provider Type and Init string. You can also use Test Scan to attempt adding a software or a pkcs11 provider and scanning it for keys.

For more information on the different external keys and their initialization strings, see externalkey in ssh-server-config(5).

Import PKCS12

Click the Import PKCS12 button to import a private key stored in the Personal Information Exchange (PFX) format. The Select File dialog appears, allowing you to specify the desired file.

[Note]Note

Notice that all key and certificate files should be located on a local drive. Network or mapped drives should not be used, as the server program may not have proper access rights for them.

See also Server Authentication with Public Keys, Server Authentication with Certificates, and Server Authentication Using External Host Keys.