NEWS YOU CAN USE FROM VANDYKE SOFTWARE
Implementing good host key policies is an important part of network security in a Secure Shell environment. This issue explains host keys and suggests simple policies and practices to ensure that this security measure is used effectively.
Also this month, new maintenance releases are now available for CRT(TM), SecureCRT(R), and the OpenSSH extended source code.
1. Feature - Host Keys and Fingerprints
Ever seen this message and wondered what to do?
The host key sent by the server is different from the host key stored
in the host key database...
It is recommended that you verify your host key before accepting.
Server's host key fingerprint (MD5 hash):
Accept Once Accept & Save Cancel
Educating users about the purpose and importance of the host key is a fundamental step in securing the network with SSH. If your organization's security policy doesn't address host keys, it should.
Every SSH server has a public identifier called a host key that it uses to identify itself to an SSH client. Each time a client connects to a server, the server sends its host key to the client. The SSH client verifies the server's identity by comparing this host key to the copy stored in the client's host key database. If an alert like the one above is displayed, the user's role is to find out whether the host key is the correct one and accept or reject it accordingly.
The first time a client connects to a particular server, you will see
a message that the host key database does not contain an entry for the
hostname. Similarly, if the two host keys don't match, the client is alerted
that there may be a problem, generating a warning message, such as the
Check the identity of the server using the host key "fingerprint" displayed in the New Host Key dialog. This fingerprint is a unique value computed from the host key, but which does not reveal the secret host key. Users can check this fingerprint over the phone or by other means against the actual server fingerprint.
If you choose "Accept & Save", the client adds the host key to its local host key database. Choose this option only if you are sure that you are connecting to the correct server. "Accept Once" causes the host key from the server to be accepted, allowing a connection but the host key is not saved in the database.
Selecting "Cancel" is the best option if the server's identity can't be verified. This rejects the host key and terminates the connection process.
Here are some suggested policies to use in managing host keys:
- Educate your users not to accept a host key without first verifying
More information about host keys and fingerprints is available in the SecureCRT and SecureFX Help files.
Maintenance releases are now available for CRT 4.0.2, SecureCRT 4.0.2, and VanDyke's extended version of OpenSSH version 3.5p1 supporting the Public Key Assistant.
You can download these releases at:
If you need quick access to download links for any previous official releases, go to:
VanDyke Software has just posted an updated version of extended OpenSSH source code (version 3.5p1) as a free download on our web site. These extensions support the Public Key Assistant feature in all secure VanDyke Software products, allowing end users to upload public keys to an OpenSSH server securely. If your organization uses OpenSSH servers, get the download today:
Occasionally, when using a terminal emulator such as CRT or SecureCRT, the emulator can be put into a non-standard state by some sequence of events on the remote system, and the display can get corrupted. In cases where this happens, you can reset the terminal by selecting "Reset" from the Edit menu.
Here are direct links to download individual products:
This month's pick is a hacker's collection of exploits written by Kevin Mitnick, one of the most highly publicized computer hackers. Mitnick shows how technology does little to guard against the persuasive skills of the social engineer and offers advice on how to reduce your vulnerability to these master manipulators and frequently destructive criminals.
"The Art of Deception: Controlling the Human Element of Security," by Kevin D. Mitnick, William L. Simon, and Steve Wozniak. Publisher: John Wiley & Sons; ISBN: 0471237124; (2002)
Publishers Weekly wrote: "Mitnick is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive... His alleged 1982 hack into NORAD inspired the movie War Games. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security. It's not clear whether this book is a means toward that end or a wink-wink, fictionalized account of his exploits, with his name changed to protect his parole terms. Either way, it's a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone." (Copyright 2002, Cahners Business Information, Inc.)
Read a great book lately? Submit your recommendation to firstname.lastname@example.org. If publish your selection, we'll send you a gorgeous VanDyke Software T-shirt.
"Every organization faces [an] uneasy balance between strong security
and employee productivity, which leads some employees to ignore security
policies, not accepting how essential those safeguards are for protecting
the integrity of sensitive corporate information."
VanDyke Company News is an opt-in mailing list. If you prefer not to receive e-mail like this from us, you can unsubscribe or change your e-mail address at:
You may also send an e-mail message to:
with the following message in the body of your e-mail:
VanDyke Software, CRT, SecureCRT, SecureFX, Entunnel, AbsoluteFTP, and VShell are trademarks or registered trademarks of VanDyke Software, Inc. All other products and services mentioned are trademarks or registered trademarks of their respective companies.