Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Using the System-Wide Host Key Storage

If a host key is not found in the user-specific host key directory, it is next searched on Unix from the /etc/ssh2/hostkeys directory and on Windows from the "%ALLUSERSPROFILE%\Application Data\SSH\HostKeys" directory. Host key files are not automatically put in these directories but they have to be updated manually by the system administrator (root) or by using SSH Tectia Manager.

If SSH Tectia Manager is not used for distributing the host keys, you can follow the instructions below for doing it manually. The instructions reflect the Unix file paths but are applicable also to Windows. Simply replace the Unix paths with the corresponding Windows paths.

To obtain and store hashed remote host keys in the system-wide storage:

  1. Select a client-side user whose $HOME/.ssh2/hostkeys will be the basis for the system-wide /etc/ssh2/hostkeys. The user should have administrative privileges, as placing the keys to the system-wide location requires them.

    This user must also be used to maintain the system-wide /etc/ssh2/hostkeys later on if the host key on some server changes. The process is to maintain the user's host keys in the $HOME/.ssh2/hostkeys directory and then replicate the changes to the system-wide /etc/ssh2/hostkeys directory.

  2. Make sure that the $HOME/.ssh2/hostkeys directory is empty when obtaining the keys for the first time, or that the saved host keys are intentional.

    If you need to obtain new keys later, the same $HOME/.ssh2/hostkeys/salt file has to be used.

  3. Connect with SSH Tectia Client to the remote server, verify the fingerprint, and save the key.

    Repeat this step as many times as there are remote servers. Note that you do not have to complete the user authentication, only key exchange part of the Secure Shell connection.

  4. Once all host keys you wish to maintain in the system-wide location have been obtained, place the keys to the system-wide location, for example by running the following commands:

    # mkdir /etc/ssh2/hostkeys
    # cp -p $HOME/.ssh2/hostkeys/* /etc/ssh2/hostkeys

    Note that also the $HOME/.ssh2/hostkeys/salt file has to be copied so that SSH Tectia Client is able to identify the hashed host keys. Also if multiple users contribute to the system-wide /etc/ssh2/hostkeys, they have to share the same salt file.

To obtain and store traditional remote host keys in the system-wide storage:

  1. As a server-side user, copy the /etc/ssh2/ file from the server as key_<port>_<hostname>.pub to the /etc/ssh2/hostkeys/ directory on the client.

    You can do this as a non-privileged user on the server but you must be privileged user, for example root, on the client.

  2. Use secure means to transfer the file or verify the fingerprint matches after the transfer with the ssh-keygen-g3 option -F, for example on the server:

    $ ssh-keygen-g3 -F /etc/ssh2/

    On the client:

    # ssh-keygen-g3 -F /etc/ssh2/hostkeys/key_<port>_<hostname>.pub

    Note that the identification is different based on the host and port the client is connecting to. Also connection with IP is considered a different host as well as connection to same host but different port. You can copy the same traditional key_<port>_<hostname>.pub to all these different names.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now