To successfully build the required SSH connections both towards the client
and the server, Zorp has to show the appropriate keys to the client (otherwise
the client will reject the connection as the key does not match the server it
intends to connect). This problem can be easily overcome if Zorp is used to
protect the servers: the server key has to be deployed on Zorp as well. However,
this is not possible when protecting clients, because the private keys of all
servers that will be contacted is rarely available. In this case, SSH
proxy can be configured to automatically verify the identity of the server
using the server_hostkeys_verify attribute. This
is similar to certificate verification in SSL connections, but in SSH there is
no certificate or other identity information attached to the host keys.
The methods supported for host key verification are shown in the following table.
| Name | Value |
|---|---|
| SSH_HKV_ACCEPT_ANY | Accept any host key. |
| SSH_HKV_ACCEPT_ONCE | Accept unknown host keys only on the first occassion. The IP address-port pair of unknown host keys is registered, later on that key is used to verify connections from that address. |
| SSH_HKV_ACCEPT_KNOWN |
Accept only known host keys. Public keys can be configured for each IP address or port pair (like in case of the known_hosts file). For any unknown IP address-port pair the connection is terminated.
|
Table 4.75. SSH host key verification mode.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
