On the Host Keys page, you can manage the known server host keys.
Click Add... to add keys from a directory, Delete to remove.
For more information on server host keys, see Server Authentication with Public Keys.
Select the Strict host key checking check box to define that host keys are NOT saved to the host key directory upon connection, and a connection is automatically refused if the host key has changed.
Select the Accept unknown host keys check box to define that all host keys are accepted but not saved without prompting the user for acceptance.
Select the Always show host key prompt check box to define that the user will always be prompted for host key acceptance, even when the host key is known.
The host key options are disabled by default.
On the Certificates page, you can manage trusted CA certficates.
For more information on server certificate authentication, see Server Authentication with Certificates.
The following fields are displayed on the CA certificate list:
Issued to: The certification authority to whom the certificate has been issued.
Issued by: The entity who has issued the CA certificate.
Expiration date: The date that the CA certificate will expire.
Filename: The file containing the CA certificate.
Select the Disable check box to prevent the use of a certificate revocation list (CRL). A CRL is used to check if any of the used server certificates have been revoked.
Disabling CRL checking is a security risk and should be done for testing purposes only.
The OCSP Responder Service provides client applications a point of control for retrieving real-time information on the validity status of certificates using the Online Certificate Status Protocol (OCSP).
For the OCSP validation to succeed, both the end-entity (=Secure Shell server) certificate and the OCSP responder certificate must be issued by the same CA. If the certificate has an
Authority Info Access extension with an OCSP Responder URL, it is only used if there are no configured OCSP responders. It is not used if any OCSP responders have been configured.
If an OCSP responder is defined in the configuration file or in the certificate, it is tried first; only if it fails, traditional CRL checking is tried, and if that fails, the certificate validation returns a failure.
Specifies whether the client will verify the server's hostname against the Subject Name or Subject Alternative Name (DNS Address) in the server's certificate.
If this check box is not selected, the fields in the server host certificate are not verified and the certificate is accepted based on validity period and CRL check only. Note that this is a possible security risk, as anyone with a certificate issued by the same trusted CA that issues the server host certificates can perform a man-in-the-middle attack on the server if a client has the endpoint identity check disabled.
This element defines whether the certificates are required to be compliant with the DoD PKI (US Department of Defense Public-Key Infrastructure).
Specify the default domain used in the end-point identity check. This is the default domain part of the remote system name and it is used if only the base part of the system name is available.
If the default domain is not specified, the end-point identity check fails, for example, when a user tries to connect to a host "
tower" giving only the short hostname and the certificate contains the full DNS address "
Specify the HTTP proxy used when making LDAP or OCSP queries for certificate validity.
The format of the address is
"http://username@proxy_server:port/network/netmask,network/netmask... ". The
network/netmask part is optional and defines the network(s) that are connected directly (without the proxy).
Specify the SOCKS server used when making LDAP or OCSP queries for certificate validity.
The format of the address is
"socks://username@socks_server:port/network/netmask,network/netmask... ". The
network/netmask part is optional and defines the network(s) that are connected directly (without the SOCKS server).
On the LDAP Servers page, you can define LDAP servers used for fetching CRLs and/or subordinate CA certificates based on the issuer name of the certificate being validated.
CRLs are automatically retrieved from the CRL distribution point defined in the certificate to be verified if the point exists.
To add an LDAP server, click the Add... button. Define the hostname and port for the server.
To edit an LDAP server, select the server from the list and click Edit.
To delete an LDAP server, select the server from the list and click Delete.