SSH Tectia

Host Key Distribution Process

This section gives more technical details on host key distribution.

Host key distribution is based on the host name determined by the Management Agent (see Hostname Resolution Mechanism), and the default Secure Shell port 22. Secure Shell clients should connect using a short or long hostname instead of an IP address.

Only the default server identity (/etc/ssh2/hostkey) is supported in host key distribution.

If a host key pair is regenerated or deleted, the public host key on all managed hosts is updated automatically, and a Notice level message "Host key changed on <hostname>" is displayed in the event log.

The Management Agent checks the host key for changes on the managed host every five minutes and for host key updates from the Management Server every five minutes. So if all goes well, it takes 10 minutes for a changed host key to be distributed back to the originating host. The time can be longer or even shorter for the other hosts in the environment.

If the host key update for a host fails, the Management Server will retry the update once per hour, assuming the host is connected. Disconnected hosts will receive updates once connected. The next update time is displayed on the Host key distribution page of the host. The update can also be done manually by clicking the Retry host key distribution now button. It will only send information on keys that need to be updated.

All host keys in the managed environment can be resent anytime to a host from the Host key distribution page by clicking the Resend all host keys to this host button. This will always send all host keys of the environment to the host.

If host key distribution is not supported for the Secure Shell product or version, it is displayed on the Host key distribution page of the host, and the event log contains an Informational-level message, such as "SSH Secure Shell Server 3.0.0 on <hostname> not supported for host key updates".