With the introduction of Cerberus FTP Server 13.1, we have implemented support for multiple SSH host keys. This user-requested feature allows enabling one or more of the currently supported key types:
- EdDSA 25519
- EdDSA 448
In order to allow this feature, we have implemented new GUI controls to generate host keys, export public keys, delete key pairs, edit the loaded keys, and control which keys are active. Most of the controls are accessed from Server Manager / Security / General as shown in the screenshot below.
SSH Host Key Pairs
This panel shows which keys are loaded in Cerberus. Each key shows the type, length, an administrator customized notes field, a number of fingerprint formats, and the path to the public and private key files. In this example, there are two loaded keys: RSA and ECDSA (Elliptical Curve). All Cerberus servers with SSH enabled will start with just one key which will typically be the same type as the TLS certificate.
The panel also allows Generating, Exporting, Editing and Deleting via the buttons on the top right as highlighted above. We’ll walk through each of these new controls.
Generate SSH Key Pair
Clicking the Generate button allows creating a new Key Pair. The first step is to select a Key Type. Cerberus currently supports five key types: RSA, DSA, Elliptical Curve (ECDSA), ED25519 (EdDSA 25519), and ED448 (EdDSA 448). Note: the Edwards curve EdDSA key types are not currently available in FIPS mode.
Once the type is selected, one of two messages will be displayed in the gray status well at the top as shown in the screenshot below:
- Generate a new TYPE SSH key pair
- Generate another TYPE SSH key pair
These messages indicate whether a new key pair will be created or an existing key may be replaced.
Generate SSH Key Pair
The notes field allows an Administrator to provide some context for the key pair; the field has no function in key signing. For example, this key may be used for a specific set of devices (networking hardware) or perhaps it is a temporary key for a specific user and the note could indicate the user’s name and when it can be removed. The field alleviates the need for external documentation and helps multiple administrators coordinate updates.
The Key Length is populated with values specific to the type selected; the Edwards curves have no selectable length and this field will be disabled for them.
The Private Password allows setting a password on the created Private key. Cerberus recommends setting a password; however, Administrators should securely store the password as they do other passwords as it cannot be recovered if forgotten.
The final option is a checkbox which allows either:
- Enable this SSH key pair immediately
- Replace existing SSH Key pair immediately
When unchecked, the key pair is just generated and saved; when checked, Cerberus will also load the generated key pair as one of the available SSH Host Key Pairs (replacing the current key pair for that type if one exists). Note: if this is a new key pair, it must be [activated](jump link to Activating SSH Host Keys) in the list of host keys before Cerberus will offer it to SSH clients.
Clicking the Generate Keypair button will create the key pair. All generated host keys are stored in the Cerberus certificates folder as ssh-TYPE-YYYYMMDD_HHMMSS.pem; this naming convention avoids accidentally overwriting an existing key pair. This Privacy Enhanced Mail (PEM) file will contain both the public and private keys.
Export SSH Public Keys
Clicking the Pub Export button allows exporting the public portion of a loaded Key Pair. The first step is to select a Key Type.
Export SSH Public Keys
Once a type is selected, the Public Key Path field will be populated with the full path to the selected public key. The Export Format defaults to RFC 4716 (SSH2), but Administrators can also select OpenSSH and X.509 Subject Public Key Information (RFC 3279) formats.
Clicking Generate Keypair will download the public key to the browser’s Downloads folder with a default name of ssh-public-hostkey-FORMAT_TYPE.pem
Manage SSH Keys
Clicking the Edit button allows managing loaded SSH keys. As with the other buttons, the first step is to select a Key Type. If no key of the type exists, then a new key will be added; if one exists, it may be updated, replaced or deleted.
After selecting the type, add or update the Notes, select or update the Public and Private keys (and optional Password), then click Check Key as shown in the screenshot below:
Manage SSH Keys
If the values cannot be validated, the status text will contain a message, such as not finding the public or private key or a bad password. Otherwise, one of three messages will appear:
Add New Key
If a new key is being added, the status text and button text will appear as in the screenshot below:
Manage SSH Keys: Add Key
Clicking Add Key will load the key values into Cerberus.
Update Existing Key
If an existing key is being updated, the status text and button text will appear as in the screenshot below:
Manage SSH Keys: Update Key
Clicking Keep Existing Key will update the Notes and/or Password, but otherwise keep the existing key loaded in Cerberus.
If an existing key is being replaced, the status text and button text will appear as in the screenshot below:
Manage SSH Keys: Replace Key
Note: This type of update should be carefully considered and planned. Changing an existing host key will require SSH clients to accept a new fingerprint and may affect automated systems.
Clicking Replace Key will replace the loaded key in Cerberus.
Delete SSH Key
If the key type corresponds to an existing key, it can also be deleted. Clicking the Delete Key button will display a prompt as shown in the screenshot below. If the Delete button is clicked, then the key will be deleted from Cerberus; however, the key files will not be removed from the certificates folder.
Manage SSH Keys: Delete Key
Activating SSH Host Keys
SSH Host Keys are enabled from Server Manager > Protocols > SSH SFTP as shown in the screenshot below.
SSH Security Defaults: Active Host Key
Any of the supported keys may be activated or deactivated; deactivated host keys will not be offered to SSH clients. If there is no host key loaded (as for DSA in the screenshot above) a warning info tooltip is shown; even if these keys are activated, they will not be offered to SSH clients. Note: the Edwards curve EdDSA key types are not currently available in FIPS mode and will not appear in the list.