SSH Tectia

Server Authentication Management

SSH Tectia Manager contains a built-in certification authority (CA) for managing SSH Tectia Server host identities. The CA can issue X.509 certificates to server hosts that have SSH Tectia Server version 4.x or later installed, renew the certificates when the end of their validity period is near, and revoke them when necessary. The CA publishes a certificate revocation list (CRL) where the revoked certificates are listed. SSH Tectia Manager also manages the public-key infrastructure (PKI) settings throughout the client/server environment to ensure easy deployment of strong authentication.

SSH Tectia Manager also supports centralized enrollment of certificates from an external PKI (Entrust Authority is supported).

In environments where the PKI and X.509 certificate authentication are not available, host public keys are used for SSH Tectia Server host authentication. During server public-key authentication, SSH Tectia Client typically notifies the user upon connecting if the public key of the server host has changed since the last connection. This is done to inform the user of a potential security breach. However, in many cases the server public key has changed due to a reinstallation of the server.

There is the danger that users who see such notifications repeatedly may eventually begin to ignore them, which negates the original purpose of the alarm and weakens the security of the environment against real attacks.

To avoid unnecessary user alerts, SSH Tectia Manager enables automatic distribution of the public keys of server hosts within the environment. In the event of an authorized reinstallation of a server, SSH Tectia Manager distributes the new host key to the other hosts in the environment, thus providing transparent authentication for subsequent connections. The server authentication management also enables the first connection to a new server to be transparently authenticated. The private key of the server never leaves its host.