4.20.2.6. Host key verification

To successfully build the required SSH connections both towards the client and the server, PNS has to show the appropriate keys to the client (otherwise the client will reject the connection as the key does not match the server it intends to connect). This problem can be easily overcome if PNS is used to protect the servers: the server key has to be deployed on PNS as well. However, this is not possible when protecting clients, because the private keys of all servers that will be contacted is rarely available. In this case, SSH proxy can be configured to automatically verify the identity of the server using the server_hostkeys_verify attribute. This is similar to certificate verification in SSL connections, but in SSH there is no certificate or other identity information attached to the host keys.

The methods supported for host key verification are shown in the following table.

NameValue
SSH_HKV_ACCEPT_ANY Accept any host key.
SSH_HKV_ACCEPT_ONCEAccept unknown host keys only on the first occassion. The IP address-port pair of unknown host keys is registered, later on that key is used to verify connections from that address.
SSH_HKV_ACCEPT_KNOWN Accept only known host keys. Public keys can be configured for each IP address or port pair (like in case of the known_hosts file). For any unknown IP address-port pair the connection is terminated.

Table 4.59.  SSH host key verification mode.