login about faq

I have to connect in an automated manner to a large number of servers using certificate authentication, using a certificate that has been deployed at server build time. my issue is that when I use batch mode -B any server that would prompt for acceptance of the servers public key will fail. I need an automated way of accepting a servers public key. Either at command line or in a configuration file. I am not too familiar with the tectia config files so an example of a complete(albeit simple) config file to do this would be appreciated!!! I am using Tectia 6.0.XXXX

asked Jul 26 '10 at 20:51

Jason's gravatar image

Jason
111

edited Sep 21 '11 at 16:55

SSH%20KB's gravatar image

SSH KB ♦
509249246237


I managed to solve this issue here is the solution: in the ssh-broker-config.xml file the general section must contain these parameters:

<general>
 <!-- Server host-key verification settings -->
    <strict-host-key-checking enable="no" />
    <host-key-always-ask enable="no" />
    <accept-unknown-host-keys enable="yes" />
</general>
link

answered Jul 30 '10 at 17:44

Jason%201's gravatar image

Jason 1
111

edited Sep 03 '10 at 13:27

Roman's gravatar image

Roman ♦♦
7735817

This is, btw, handled in a much better way in version 6.1.4 and newer. There you can set the Host Key Policy to "Trust on First Use". This will result in new host keys being added without prompting the user to accept them.

This can even be specified on the command line without having to change the configuration file on each of the hosts.

More information on how to do this here: http://productdocs.ssh.com/support/documentation/online/ssh/winhelp/61/stconf-serverauth.html

(Sep 03 '10 at 13:31) Roman ♦♦ Roman's gravatar image

As far as I know, there is no automated way to accept host keys when connecting for the first time. What you need to do is connect once to each server and manually accept the server's public key by opting to "save" the key when prompted. This will copy the public key for the host to a secure location on the client for future reference.

You will not be prompted to accept the key again unless the host changes keys.

link

answered Jul 29 '10 at 22:04

RayC's gravatar image

RayC
1

for 700+ servers this is really not an option.. but thanks for the suggestion!

(Jul 30 '10 at 17:49) Jason 1 Jason%201's gravatar image

Hello, you are correct, Tectia Client 5.x/6.0/6.1 have their ssh-broker-config.xml files in where you can tweak server authentication settings.

Tectia Client usually reads its configuration files from these locations:

Linux/Unix:

  • User specific: $HOME/.ssh2/ssh-broker-config.xml
  • System wide: /etc/ssh2/ssh-broker-config.xml

Windows:

  • User specific: %USERPROFILE%\Application Data\SSH\ssh-broker-config.xml

For example: C:\Documents and Settings\samim\Application Data\SSH\ssh-broker-config.xml

  • System wide (if default installation location in use):
    C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Broker\ssh-broker-config.xml

IBM z/OS (6.0/6.1):

  • User specific: $HOME/.ssh2/ssh-broker-config.xml
  • System wide: /opt/tectia/etc/ssh-broker-config.xml

NOTE: Server authentication step is a vital part of security and it is not recommended that you disable it!

If you have a large server environment, then I recommend you to use X509v3 certificates instead of plain public key files as then you do not have this "fingerprint check" issue anymore (e.g. even though you will add a brand new server to your network). Tectia supports X509v3 certificates in server and in user authentication steps (including certificate revocation checking via OSCP service or via CRL files)

--SamiM

link

answered Sep 01 '10 at 12:10

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

We are using SSH tectia client v6.1.7 on windows platform and i don't see a file "ssh-broker-config.xml" at following locations

Am I missing something?

appreciate any pointers

Windows:

User specific: %USERPROFILE%\Application Data\SSH\ssh-broker-config.xml For example: C:\Documents and Settings\samim\Application Data\SSH\ssh-broker-config.xml

System wide (if default installation location in use): C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Broker\ssh-broker-config.xml

link

answered Jul 15 '12 at 15:57

vxb8874's gravatar image

vxb8874
1

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×54
×2

Asked: Jul 26 '10 at 20:51

Seen: 6,406 times

Last updated: Jul 15 '12 at 15:57

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.