SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
If a host key is not found in the user-specific host key directory, it
is next searched on Unix from the
/etc/ssh2/hostkeys directory, on pre-Vista Windows from the
C:\Documents and Settings\All Users\Application
Data\SSH\HostKeys directory, and on Windows Vista and later Windows versions from the
C:\ProgramData\SSH\HostKeys directory. Host key files are not
automatically put in the system-wide directory but they have to be updated
manually by the system administrator (
The process for distributing the host keys manually is explained in the following. The instructions reflect the Unix file paths but are applicable also to Windows. Simply replace the Unix paths with the corresponding Windows paths.
To obtain and store hashed remote host keys in the system-wide storage:
Select a client-side user whose
$HOME/.ssh2/hostkeys will be the basis for the system-wide
/etc/ssh2/hostkeys. The user should have administrative
privileges, as placing the keys to the system-wide location requires
The same user account must also be used to maintain the system-wide
/etc/ssh2/hostkeys later on if the host key on some server
changes. The process is to maintain the user's host keys in the
$HOME/.ssh2/hostkeys directory and then replicate the changes
to the system-wide
Make sure that the
directory is empty when obtaining the keys for the first time, or
that the saved host keys are intentional.
If you need to obtain new keys later, the same
$HOME/.ssh2/hostkeys/salt file has to be used.
Connect with Tectia Client to the remote server, verify the fingerprint, and save the key.
Repeat this step as many times as there are remote servers. Note that you do not have to complete the user authentication, only the key exchange part of the Secure Shell connection.
Once you have obtained all the host keys you wish to maintain in the system-wide location, place the keys to the system-wide location, for example by running the following commands:
# mkdir /etc/ssh2/hostkeys # cp -p $HOME/.ssh2/hostkeys/* /etc/ssh2/hostkeys
Note that also the salt file (
$HOME/.ssh2/hostkeys/salt) has to
be copied so that Tectia Client is able to identify the hashed host keys. Also if
multiple users contribute to the system-wide
/etc/ssh2/hostkeys directory, they have to share the same
After creating the system-wide location for host keys, you can maintain it by using the ssh-keygen-g3 tool.
The following copy examples show the most frequently needed commands
for host key storage maintenance. The commands use the user-specific hostkey
$HOME/.ssh2/hostkeys and possibly the
$HOME/.ssh/known_hosts file) as the source. If keys are
to be copied from a different source, you need to append an appropriate
option to the command.
To copy the key of a new host called 'alpha' from the user-specific hostkey storage to the system-wide directory, enter command:
# ssh-keygen-g3 --append=no --overwrite=no \ --copy-host-id alpha /etc/ssh2/hostkeys
In this case, because of
if a key for server 'alpha' already exists, the command
will fail and the key will not be updated.
To add additional keys to a known host, enter command:
# ssh-keygen-g3 --append=yes --copy-host-id alpha /etc/ssh2/hostkeys
To update the key of a known host, enter command:
# ssh-keygen-g3 --append=no --copy-host-id alpha /etc/ssh2/hostkeys
To remove a host from the known hosts list, enter command:
# ssh-keygen-g3 --hostkeys-directory /etc/ssh2/hostkeys \ --delete-host-id alpha
For more detailed information on the ssh-keygen-g3 tool, see ssh-keygen-g3(1).
To obtain and store traditional remote host keys in the system-wide storage:
As a server-side user, copy the
/etc/ssh2/hostkey.pub file from the server as
key_<port>_<hostname>.pub to the
/etc/ssh2/hostkeys/ directory on the client.
You can do this as a non-privileged user on the server but you must be a
privileged user, for example
root, on the client.
Use secure means to transfer the file or verify that the
fingerprint matches after the transfer with the ssh-keygen-g3
--fingerprint), for example on Tectia Server on Unix:
$ ssh-keygen-g3 -F /etc/ssh2/hostkey.pub
On the client:
# ssh-keygen-g3 -F /etc/ssh2/hostkeys/key_<port>_<hostname>.pub
Note that the identification is different based on the host and port
the client is connecting to. Also connection with IP is considered a
different host as well as connection to same host but different port. You
can copy the same traditional
key_<port>_<hostname>.pub to all these different