|
     |
A public key is always created for Tectia Server during the installation phase. In addition, the Server administrator can generate more public-key pairs for the host, according to need.
The server is authenticated with a digital signature based on an RSA, DSA, ECDSA or Ed25519 public-key algorithm. At the beginning of each connection, the server sends its public key to the client for validation.
The key pair that the server
uses in server authentication is defined in the server configuration file,
ssh-server-config.xml, with the following elements:
<params>
<hostkey>
<private file="/etc/ssh2/hostkey" />
<public file="/etc/ssh2/hostkey.pub" />
</hostkey>
...
</params>
Giving the public key in the configuration file is not mandatory. It will be derived from the private key if it is not found otherwise. Specifying the public key will, however, decrease start-up time for the software, as deriving the public key is a somewhat time-consuming operation.
During the installation process, one RSA key pair (with the file names
hostkey and hostkey.pub) is generated and stored in the
/etc/ssh2 directory on Unix and in the "<INSTALLDIR>\SSH
Tectia Server" directory on Windows. By default, this key pair is used for server
authentication.
Each Tectia Server can have multiple host keys. You could have, for example, the
following set of parameters in your ssh-server-config.xml file:
<params>
<hostkey>
<private file="/etc/ssh2/hostkey_rsa" />
<public file="/etc/ssh2/hostkey_rsa.pub" />
</hostkey>
<hostkey>
<private file="/etc/ssh2/hostkey_dsa" />
<public file="/etc/ssh2/hostkey_dsa.pub" />
</hostkey>
<hostkey>
<private file="/etc/ssh2/hostkey_ecdsa" />
<public file="/etc/ssh2/hostkey_ecdsa.pub" />
</hostkey>
...
</params>
All keys are stored in memory when the ssh-server-g3 process is started, which means that any one of them can be used to authenticate the server.
We recommend that you use a maximum of one key pair of each type (RSA, DSA, ECDSA, Ed25519). If also certificates are used in server authentication, an additional three host key pairs (RSA/ DSA/ECDSA with certificate) can be used for a total of seven host keys.
The host keys can be configured with the Tectia Server Configuration tool on the Identity page. See Identity.
A host public-key pair (3072-bit RSA) is always generated during the fresh installation of Tectia Server. You only need to regenerate it if you want to change your host key pair.
The command-line tool ssh-keygen-g3 can be used to generate the host key pair. It can be used for creating the user key pairs as well.
On Unix, to (re)generate the host key, give the following command with root privileges:
# ssh-keygen-g3 -P -H hostkey
where:
-P indicates that the key has an empty passphrase
-H indicates that the key pair is stored in the default host key
directory
On Windows, to (re)generate the host key, give the following command:
ssh-keygen-g3.exe -P -H hostkey
This will generate
a 3072-bit RSA key pair (without a passphrase) and save it in the default host key directory
(/etc/ssh2 on Unix, "<INSTALLDIR>\SSH Tectia Server" on Windows)
with the names hostkey and hostkey.pub. For more information on
the key generation options, see ssh-keygen-g3(1).
After the new key pair has been created, run ssh-server-ctl to reconfigure the server. See ssh-server-ctl(8).
![[Note]](images/note.gif) | Note |
|---|---|
The private key of the server must never be readable by anyone
but |
Administrators that have other users connecting to their server should notify the users of any host key changes. The users will receive a warning the next time they connect because the host key the users have saved on their disk for your server does not match the host key now being actually provided by your server. The users may not know how to respond to this warning.
You can run ssh-keygen-g3 to calculate the fingerprint of your
new public host key and you can provide the fingerprint to your users via some unalterable
method (for example, by a digitally signed e-mail or by displaying the fingerprint on a
secured bulletin board).
On Unix, the command for calculating the fingerprint is:
# ssh-keygen-g3 -F hostkey.pub
On Windows, the command is:
ssh-keygen-g3.exe -F hostkey.pub
When the users connect and receive the error message about the host key having changed, they can compare the fingerprint of the new key with the fingerprint you have provided in your e-mail, and ensure that they are connecting to the correct Tectia Server. Inform your users to notify you if the fingerprints do not match, or if they receive a message about a host key change and do not receive a corresponding message from you notifying them of the change.
This procedure can help ensure that you do not become a victim of a man-in-the-middle attack, as your users will notify you if the host key fingerprints do not match.
It is also possible to send the public host key to the users via an
unalterable method. The users can save the key in the $HOME/.ssh2/hostkeys
directory on Unix or in the %APPDATA%\SSH\HostKeys directory on Windows as
key_<port>_<host>.pub (for example,
key_22_banana.ssh.com.pub). In this case, a manual fingerprint check is not
needed.
Like passwords, host keys (and the authorizations they create) should be rotated regularly to limit their exposure to misuse.
Key rotation for server
host keys can be set in the server configuration GUI under Identity tab (see Identity), or it can be set in the server-config.xml
hostkey element (see
hostkey
).
Once a rotation period has been set for a host key, a newly generated key will replace the old one when the key rotation period ends. A key can be set up with a rotation margin period, which is a time span before the rotation, during which the new key is generated, and advertised to clients. Advertising the new key before key rotation allows clients to be prepared for the changing of the host key. If no rotation period is set, the automatic key rotation is disabled.
The host keys can also be changed manually by generating a new key and/or editing an existing keys' path in the server configuration GUI.
Please see Appendix I for more details on what should be taken into consideration when changing the Host Key of Tectia Server.
| |