To successfully build the required SSH connections both towards the client
and the server, PNS has to show the appropriate keys to the client (otherwise
the client will reject the connection as the key does not match the server it
intends to connect). This problem can be easily overcome if PNS is used to
protect the servers: the server key has to be deployed on PNS as well. However,
this is not possible when protecting clients, because the private keys of all
servers that will be contacted is rarely available. In this case, SSH
proxy can be configured to automatically verify the identity of the server
using the server_hostkeys_verify
attribute. This
is similar to certificate verification in SSL connections, but in SSH there is
no certificate or other identity information attached to the host keys.
The methods supported for host key verification are shown in the following table.
Name | Value |
---|---|
SSH_HKV_ACCEPT_ANY | Accept any host key. |
SSH_HKV_ACCEPT_ONCE | Accept unknown host keys only on the first occassion. The IP address-port pair of unknown host keys is registered, later on that key is used to verify connections from that address. |
SSH_HKV_ACCEPT_KNOWN |
Accept only known host keys. Public keys can be configured for each IP address or port pair (like in case of the known_hosts file). For any unknown IP address-port pair the connection is terminated.
|
Table 4.59. SSH host key verification mode.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu