Discuss this help topic in SecureBlackbox Forum

SSH: Setup keys for the SSH server

Every SSH server requires to have at least one private key attached to it (so-called 'host key') to be able to accept client connections. Host key server as a unique identifier of the server which is used by the clients to establish server's authenticity. It is somewhat similar to server certificates used within TLS infrastructures.

The server may have several host keys attached to it. A typical SSH server has at least two host keys, for RSA and DSS algorithms, however, additional keys for ECDSA and X.509-based algorithms can also be used. As all the keys are different, the server's administrator will need to communicate information about all server keys to the potential clients.

It is needless to say that the host keys must be stored securely as compromising them will compromise the whole security gained by the use of SSH.

To attach private keys to your SSH server object do the following:

  1. Create a TElSSHMemoryKeyStorage object.
  2. Load your private key into a TElSSHKey object.
  3. Add the key object to the storage object with the storage's Add() method.
  4. Repeat steps 2 and 3 for all the keys you want to act as host keys (RSA, DSS, ECDSA, etc.)
  5. Attach the storage to the TElSSHServer.KeyStorage property.

Besides the host keys, the server may use additional RSA keys for RSA key exchange. These are completely different keys to the ones used for host authentication, even though RSA algorithm might be used for both operations. That is, the server may have two different RSA keys attached, the first for host authentication (host key), and the second one for key exchange (key exchange key). Additional RSA keys are only used for RSA key exchange; they are not needed for DH or ECDH key exchanges.

Key exchange keys can be configured in the same way as the host keys, with the only exception that their storage is attached to the KexKeyStorage property and not KeyStorage. Note that there is no sense in adding non-RSA keys to key exchange key storage (all such keys will be ignored).

How To articles about SSH server

Discuss this help topic in SecureBlackbox Forum