SSH

Host Key Distribution

Tectia Manager automates the distribution and maintenance of the server host public keys (also called host keys). The host key distribution makes the management of the keys completely transparent to the end-users. Using automated host key distribution eliminates new-key-approval or key-changed messages that may confuse the users.

Host key distribution to managed hosts is enabled by default. If necessary, you can disabled the feature in Settings → System Settings with option Enable distributing host keys to managed hosts = False.

[Note]Note

Host key distribution is based on the host name determined by the Management Agent (see Hostname Resolution Mechanism), and the default Secure Shell port 22. Secure Shell clients should connect using a short or long hostname instead of an IP address.

Host Key Distribution Process

The Management Agent automatically collects the public host keys of the managed hosts that have supported Secure Shell server software running. The Management Agent reads the host keys from the default key location (that varies per product and per operating system). The Management Agent sends the host keys to the Management Server for storage and distribution to SSH clients.

Tectia Manager distributes the host keys to all managed Tectia Client, and ConnectSecure installations on Linux, Unix and Windows platforms, and to OpenSSH clients on Linux and Unix. On the clients, the host keys are stored to the known host key database common to all users.

The Management Agent checks the host key for changes on the managed host every five minutes and for host key updates from the Management Server every five minutes. So normally, it takes approximately 10 minutes for a changed host key to get distributed to the SSH environment.

If a host key pair is regenerated or deleted, the public host key on all managed hosts is updated automatically, and a Notice level message "Host key changed on <hostname>" is displayed in the event log.

If the host key update for a host fails, the Management Server will retry the update once per hour, assuming the host is connected. Disconnected hosts will receive updates once connected. The next update time is displayed on the Host key distribution page of the host. The update can also be done manually by clicking the Retry host key distribution now button. It will only send information on keys that need to be updated.

All host keys in the managed environment can be resent anytime to a host from the Host key distribution page by clicking the Resend all host keys to this host button. This will always send all host keys of the environment to the host.

If host key distribution is not supported for the Secure Shell product or version, it will be displayed on the Host key distribution page of the host, and the event log will contain an Informational-level message, such as "SSH Secure Shell Server 3.0.0 on <hostname> not supported for host key updates".

Host Key Locations on the Managed SSH Client Hosts

Tectia Manager stores the public keys to the default key locations on the SSH client hosts as follows:

On Tectia Client host:
  • On Unix: /etc/ssh2/hostkeys

    To allow host-based authentication on Unix, the public host keys are also distributed to the /etc/ssh2/knownhosts directory on Tectia clientside hosts.

  • On Windows XP and Server 2003:

    C:\Documents and Settings\All Users\Application Data\SSH\HostKeys

  • On Windows Vista and later: C:\ProgramData\SSH\HostKeys

On OpenSSH client hosts:

On HP-UX (to file): /opt/ssh/etc/ssh_known_hosts

On other Unix and Linux (to file): /etc/ssh/ssh_known_hosts

Host key distribution is not supported to OpenSSH clients on Windows.

[Tip]Tip

If Secure Shell software has already been installed on the managed host, make sure that the user-specific host-key locations do NOT contain any keys for hosts that should be centrally managed.

Resending Host Keys to a Managed Host

Host keys of managed SSH server hosts can be resent to a host from the Host view page of a host.

To do this, select the Secure Shell software tab and the Host key distribution tab. Click Resend all host keys to this host to send all SSH server host public keys from the Management Server to the host.

If an automatic host key update has failed, the page will display the next update time. The update can also be retried manually by clicking the Retry host key distribution now button. It will only send information on changed host keys that need to be updated.