Storing Remote Server Host Keys
When opening the transparent tunnel or an SFTP session with FTP-SFTP
conversion, accepting new or changed server host keys cannot be prompted
from the user. In addition, transparent FTP tunneling and FTP-SFTP
conversion always use the IP address of the Secure Shell server when opening
the secure tunnel. This means that the host keys of the Secure Shell
tunneling servers must be stored beforehand based on the IP addresses of the
servers.
The keys can be stored by connecting to each host individually with the IP
address of the host using an interactive shell and accepting the host keys
one by one, or by using the ssh-keydist-g3 key distribution tool.
More information and examples on storing remote server keys can be found in
SSH Tectia Server for IBM z/OS User Manual.
Disabling Host-Key Check
As an alternative to storing the remote server host keys, it is possible to
disable the host-key checking entirely. To do this, set the
accept-unknown-host-keys element to yes in the
ssh-socks-proxy-config.xml file. The element must be placed before the
profiles element as shown below.
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE secsh-broker SYSTEM
"/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-ng-config-1.dtd" >
<secsh-broker version="6.0" >
<general>
<strict-host-key-checking enable="no" />
<host-key-always-ask enable="no" />
<accept-unknown-host-keys enable="yes" />
</general>
<profiles>
...
|
Caution: Consider carefully before enabling this option. Disabling the
host-key checks makes you vulnerable to man-in-the-middle attacks.
