When Tectia Server is installed on a host that is part of clustering or some high availability setup, the identity of the server host is important.
asked Dec 23 '10 at 18:03
SSH KB ♦
A Secure Shell client will validate the Tectia Server's identity during the server authentication. The server name and port used for connecting is utilized when matching the identity.
By default, a DSA hostkey pair (hostkey and hostkey.pub) is used by the Tectia Server. The Secure Shell client will check the key sent by the server with each connection against its local hostkey database.
If there is a DNS round-robin system in the environment which will direct the connections to two different machines that provide the same service, then one of the machines should be selected as primary and its Tectia Server configuration file (ssh-server-config.xml) and the server's identity (hostkey and hostkey.pub) should be replicated to the secondary machine. The important thing with this approach is that the private key of the primary machine has to be transferred securely to the secondary machine(s).
If the user is using an Tectia version prior to 5.0 or a third-party Secure Shell client, and this is not done, the user will receive a message similar to "SERVER HOST IDENTIFICATION HAS CHANGED" whenever a connection is made to any machine other than the machine for which the client has the public hostkey saved.
If a Tectia Client version 5.x or above is used, the machines can have individual host keys. The user is prompted for the warning but has option to save alternate identification for the server.
If the Tectia Client/Server solution is used throughout the environment, then the recommended setup is to use host certificates instead of hostkeys for server authentication.
This way each machine can have an individual private key and certificate, and the SSH Tectia Client can validate the server's identity with a trusted Certification Authority (CA) certificate and typically also using a Certificate Revocation List (CRL).
The Internal Certification Authority of Tectia Manager for example can be used to issue host certificates for the Tectia Servers on managed hosts and Tectia Manager used to configure the Tectia Client/Server environment accordingly.
For more information please see the Tectia Client and Server User Manuals and the PKI section in the Tectia Deployment Guide available at
answered Dec 23 '10 at 18:12
Alan - Tectia Support ♦