By default, One Identity Safeguard for Privileged Sessions (SPS) accepts and stores the host key of the server when the connection is first established.

To manually set the SSH keys used and accepted in the connection

  1. Navigate to SSH Control > Connections and click to display the details of the connection.

    Figure 187: SSH Control > Connections — Configuring SSH host keys of the connection

  2. Verify the identity of the servers based on their hostkeys.

    • Select Accept key for the first time to automatically record the key shown by the server on the first connection. SPS will accept only this key from the server in later connections. This is the default behavior of SPS.

      NOTE:

      When your deployment consists of two or more instances of SPS organized into a cluster, the SSH keys recorded on the Managed Host nodes before they were joined to the cluster are overwritten by the keys on the Central Management node. For details, see Configuration synchronization and SSH keys.

    • Select Only accept trusted keys if the key of the server is already available on SPS. SPS will accept only the stored key from the server. For further information on setting the host keys of the server, see Server host keys.

      NOTE:

      When your deployment consists of two or more instances of SPS organized into a cluster, the SSH keys recorded on the Managed Host nodes before they were joined to the cluster are overwritten by the keys on the Central Management node. For details, see Configuration synchronization and SSH keys.

    • Select Disable SSH hostkey checking to disable SSH host key verification.

      Caution:

      Disabling SSH host key verification makes it impossible for SPS to verify the identity of the server and prevent man-in-the-middle (MITM) attacks.

  3. You can choose to upload or paste an RSA host key, or generate a new one.

    NOTE:

    One Identity recommends using 2048-bit RSA keys (or stronger).

    Click on the fingerprint to display the public part of the key.

  4. Click Commit.