11.1. Procedure – Setting the SSH host keys and certificates of the connection

Purpose: 

By default, PSM accepts and stores the host key or certificate of the server when the connection is first established. To manually set the SSH keys and certificates used and accepted in the connection, complete the following steps.

Steps: 

  1. Navigate to SSH Control > Connections and click to display the details of the connection.

    Figure 11.1. SSH Control > Connections — Configuring SSH host keys of the connection

    SSH Control > Connections — Configuring SSH host keys of the connection
  2. To verify the identity of the servers based on their hostkeys, select Server-side hostkey settings > Allow plain host keys.

    Note

    At least one of the Server-side hostkey settings options must be enabled.

    • Select Accept key for the first time to automatically record the key shown by the server on the first connection. PSM will accept only this key from the server in later connections. This is the default behavior of PSM.

    • Select Only accept trusted keys if the key of the server is already available on PSM. PSM will accept only the stored key from the server. For further information on setting the host keys of the server, see Section 11.4, Server host keys and certificates.

    • Select Disable SSH hostkey checking to disable SSH host key verification.

      Warning

      Disabling SSH host key verification makes it impossible for PSM to verify the identity of the server and prevent man-in-the-middle (MITM) attacks.

  3. To verify the identity of the servers based on their X.509 host certificates, select Server-side hostkey settings > Allow X.509 host certificates.

    Note

    At least one of the Server-side hostkey settings options must be enabled.

    • Select Accept certificate for the first time to automatically record the certificate shown by the server on the first connection. PSM will accept only this certificate from the server in later connections.

    • Select Only accept uploaded certificates if the certificate of the server is already available on PSM. PSM will accept only the stored certificate from the server. for further information on setting the host certificate of the server, see Section 11.4, Server host keys and certificates.

    • Select Only accept certificates authenticated by the trusted CA list to verify the host certificate of the server to a CA certificate, and select the Trusted CA list to use in the Trusted CA list field. For details on creating CA lists, see Procedure 7.11, Verifying certificates with Certificate Authorities.

      Note

      By default, PSM accepts only plain hostkeys, and accepts them for the first time.

    • Select No check required to disable SSH host key verification.

      Warning

      Disabling SSH host key verification makes it impossible for PSM to verify the identity of the server and prevent man-in-the-middle (MITM) attacks.

  4. To set the RSA and DSA host keys that PSM shows to the clients, select Client side hostkey settings > Allow plain host keys, and click in the RSA host key or the DSA host key fields to set the RSA and DSA host keys, respectively.

    It is possible to upload or paste a key or to generate a new one, depending on the type of key you have. You have the following options:

    • In the case of DSA keys: you can upload or paste your key.

      Note

      DSA host keys have been deprecated because of security reasons.

    • In the case of RSA keys:you can choose to upload or paste a key, or generate a new one.

      Note

      Balabit recommends using 2048-bit RSA keys (or stronger).

    Click on the fingerprint to display the public part of the key.

  5. To enable PSM to show an X.509 certificate to the clients, select Client side hostkey settings > Allow X.509 host certificates.

    • To always use the same certificate, select Use the same certificate for every connection and upload a private key and a certificate.

    • To generate a new certificate for the connection policy (not for every session), select Generate certificates on-the-fly, and set the CA to use for signing the certificate in the Signing CA field. For details about creating signing CAs, see Procedure 7.12, Signing certificates on-the-fly.

  6. Click .