Tectia

Chapter 9 Managing Host Authentication

Table of Contents

Host Key Management
Host Key Distribution
Host Key GUI
Host Certificate Management
Using Certificates
Prerequisites for Using Certificate Authentication
Configuring PKI Settings for CA
Configuring Enrollment Settings
Enrollment Jobs
Managed Host Certificate

When an SSH client attempts to connects to an SSH server, the server host authenticates itself to the client. If the client cannot authenticate the server, the client refuses to continue and disconnects. The server host can authenticate itself using public keys, certificates, or both, allowing for smooth migration from public keys to certificates.

SSH server hosts use cryptographic authentication and each server has a unique cryptographic key pair (a public key and a private key) that identifies the server. Whenever a Secure Shell client connects to a Secure Shell server, the server authenticates itself to the client cryptographically. This ensures that encryption and integrity protection are provided end-to-end between the client and the intended server, and eliminates the possibility to perform certain cryptographic attacks, especially man-in-the-middle attacks.

In order for the cryptographic authentication to work, the client must know the server's public key so that it can securely authenticate the server. The public key of the server must be distributed to the client hosts. The private key of the server is never sent anywhere outside the server computer, but is used by the server to create a digital signature that can then be verified by the client using the public key.

Host key authentication is an alternative in small and medium-size networks, where simple public-key authentication is used without certificates. Host key authentication also makes it feasible to update the host keys automatically.

In large environments, the distribution of server public keys starts to become cumbersome even with Tectia Manager. Each host key consumes about a kilobyte of disk space, thus 1000 host keys will consume about a megabyte of disk space on each client machine.

As all host keys are sent to every machine, the time needed to distribute a new host key to all hosts grows linearly with the number of hosts, and the time needed to redistribute all host keys to all hosts grows with the square (N2) of the number of hosts. Even though host key distribution is very fast, performing millions of key transfers to thousands of machines over the network can take several hours and results in gigabytes of network traffic.

These issues pose a limit on the number of host keys that can be handled in practice as the environment grows. There are two approaches to make the server authentication scale beyond a few thousand hosts; we recommend the first option: