Skip to content

Managing Host Keys

Configure Host Key Checking

Use this procedure to specify how Reflection should behave when connecting to an unknown host.

To configure host key checking

  1. Open the Reflection Secure Shell Settings dialog box.

  2. Select the Host Authentication section.

  3. Select one of the following options from the Enforce strict host key checking dropdown.

    Select To
    Ask User (default) Display the Host Key Authenticity confirmation dialog box when you connect to an unknown host.
    Yes Enforce strict host key checking — Reflection does not connect if the host is not a trusted host. Before you can connect, you must add the host key to your list of trusted host keys.
    No Prevent enforcement of strict host key checking — Reflection connects without displaying a confirmation dialog box. The host key is not added to the list of trusted keys.

note

  • Enforce strict host key checking has no effect when the host has been configured to authenticate using X.509 certificates. If a host presents a certificate for host authentication and you do not have the required CA certificate in your Trusted Root store, the connection fails.

  • Changes you make to this setting are saved to the currently specified SSH configuration scheme.

  • Secure Shell settings are saved to the Secure Shell configuration file. You can also configure Secure Shell settings by editing this file manually in any text editor. The keyword used to configure this setting is StrictHostKeyChecking.

Configure the Preferred Host Key Type

Use Prefer ssh keys over certificates to specify the order of preference for host key algorithms. This setting is useful when the server is configured for both certificate and standard host key authentication. SSH protocol allows only one attempt to authenticate the host. If the host presents a certificate, and the client is not configured for host authentication using certificates, the connection fails. (This is different from user authentication, in which multiple authentication attempts are supported.)

To configure the preferred host key type (standard SSH keys or certificates)

  1. Open the Reflection Secure Shell Settings dialog box.

  2. Select the Host Authentication section.

  3. To have the host use standard host keys for authentication, select Prefer ssh keys over certificates.

    -or-

    To use certificates for authentication, clear Prefer ssh keys over certificates.

note

  • Changes you make to this setting are saved to the currently specified SSH configuration scheme.

  • Secure Shell settings are saved to the Secure Shell configuration file. You can also configure Secure Shell settings by editing this file manually in any text editor. The keyword used to configure this setting is HostKeyAlgorithms.

The Known Hosts File

The client Secure Shell Client maintains a list of known hosts in the known hosts file. the client supports both user-specific and global known hosts files.
The user known hosts file The user-specific known hosts file is called known_hosts and is located in the user's .ssh folder. This is the default known hosts file. the client automatically updates this file when:
  • You update the Trusted Host Keys list in the Host Authentication tab of the Secure Shell settings dialog box.

    -OR-
  • You connect to a previously unknown host and answer Always in response to the Host Key Authenticity prompt.
The global known hosts file System administrators can add a system-wide known hosts file named ssh_known_hosts to the the client application data folder.

In this location the known hosts file provides a list of hosts for all users of the PC. Keys in this list can be viewed, but not edited in the Global Host Keys list in the Host Authentication tab of the Secure Shell settings dialog box.

Host Key Authenticity Dialog Box

This confirmation dialog box appears if the host you are connecting to is not a trusted host. Do you want to trust this new host key and continue connecting?

Host authentication enables the Secure Shell client to reliably confirm the identity of the Secure Shell server. This authentication is done using public key authentication. If the host public key has not previously been installed on the client, the first time you attempt to connect you see a message indicating that this is an unknown host. This message includes a fingerprint that identifies the host.

To be sure that this is actually your host, you should contact the host system administrator who can confirm that this is the correct fingerprint. Until you know that the host is actually your host, you are at risk of a "man-in-the-middle" attack, in which another server poses as your host.

The options are:
Always Make the connection and add this host to the list of trusted hosts. You will not see this prompt for subsequent connections to the same host unless you remove the host from the trusted host list, or the host key changes.
Once Make the connection but do not add the host to the trusted host list. You will see this prompt again the next time you make a connection to the same host.
No Do not make the connection and do not add the host to the trusted host list.