Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Server Authentication Settings

SSH Tectia Client software needs to perform the following actions for strong server authentication:

  • Validate the host certificate signature. For this, the CA certificate is needed. In this case, the preconfigured Internal Root CA of the SSH Tectia Manager Internal CA is configured in the CA list.

  • Verify that the host certificate has not been revoked. In this case, the check is performed against a CRL retrieved from the Management Server HTTP server. The appropriate CRL distribution point (DP) is defined as an HTTP URL in the host certificate itself.

    [Note]Note

    The SSH Tectia client-side managed hosts must be allowed to access the CRL DPs (by default, Management Server port 80) in the firewall configuration of the organization.

  • Verify that the host certificate matches the server host. The hostname used for the connection is matched to the DNS extension, typically containing a fully qualified domain name (FQDN), or Subject Name if the DNS extension does not match, or in case IP is used, the check is done against the IP extension in the Subject Alternative Name of the host certificate.

SSH Tectia Client configuration for server authentication

Figure 5.21. SSH Tectia Client configuration for server authentication


 

 
PrivX
 

 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now