Ability to have a dedicated SSH/SFTP host Key pair.
CompletedHello,
Currently, CerberusFTP reuses the key pair of the SSL certificate for SSH/SFTP.
Each time the certificate is renewed with new keys,
- SFTP clients have to be communicated the new public key's fingerprint
- SFTP clients have to take action
- if the installation of the new certificate in Cerberus and the change of settings at the client do not happen at once, batches/jobs will stop working for a while.
This is painful. Especially when clients are not geeks and you have to help them find and motivate the right IT contact in their company to do the change. Contact that may have changed a year later. Hours of support in our case. When you renew the SSL certificate yearly, this adds up.
CA or resellers do not always allow to renew certificates w/o rekeying. Or simply, some of us may want to renew their SSL certificate with rekeying, but leave the SSH/SFTP keys unchanged.
Given the above, I think one should be allowed to judge whether rekeying SSH keys is mandatory security hygiene or not.
So, would you please consider the ability to set up a separate key pair dedicated to SSH/SFTP communication?
-
Official comment
We've just release version 12.4, and it provides an initial solution to this feature request for a dedicated host key pair for SSH SFTP.
We've released a post describing the new feature and changes here:
https://www.cerberusftp.com/ssh-host-keys-decoupled-from-tls-certificate/
Our solution solves the immediate problem of the SSH key pair changing every time you need to change your SSL certificate. SSH host keys and SSL keys are now completely separate. You can safely renew and change your SSL certificate every year without fear of your SSH clients getting warnings that the host key has changed.
-
Hey guys, thanks for the feedback on this issue. We understand the concerns and pain the lack of a dedicated SSH key pair is causing. While I can't promise a release date yet, I can tell you that our team has been discussing this one a lot lately. I strongly suspect we are going to add it to our near term roadmap for 12.0.
I'll let you know as soon as we have something firm as far as a release version.
3 -
;-)
I'm pretty sure that, on top of pleasing us, they will save them a good number of support tickets.
2 -
Agreed 100%. Also, the UI should tell you when you go to replace your SSL certificate that your SSH fingerprint will change. I wasn't aware and found out the hard way.
2 -
Great news Grant!
Thanks for listening to us.2 -
That's awesome. Thanks for your responsiveness on this feature request!
2 -
You're welcome. Talked this one over with the development team and we are tentatively planning on addressing this in 12.4. We've already assigned it to a member of our development team.
We're still working out the details on our approach for addressing this one, but at a bare minimum I think we will provide a new key pair field for SSH keys, distinct from the SSL key pair. That will allow administrators to change their SSL key pair (used by HTTPS and FTPS/ES) without changing the key pair used for SSH SFTP.
2 -
Jerome, I feel like we work for the same company (kidding).
In all seriousness, I provided the exact same feedback in a recent Cerberus FTP "Tell us what we can do better" survey. This is really the only pain point left for us.
Let's hope they at least consider it.
1
Please sign in to leave a comment.
Comments
8 comments