sshkeygen.exe

Every ssh node, be it client or server, needs to have a RSA or DSA identification key. This key, which is actually a pair of keys: one public and one private, is generated by the sshkeygen.exe program. The public part of the key can be distributed as needed to identify the client or server. The private part of the key must be stored in a secured way. Like other ssh vendors, our ssh key implementation is also file based. Public part of the key is one file and the private part of the key is another file. Typically these files are named in pairs. So if you specify the key name "mymachine" to the sshkeygen program, it will store the public part of the key in "mymachine.pub" file and the private part of the key in "mymachine" file.

Our installation package automatically generates machine key pairs for the server during the install using the sshkeygen.exe program and stores them in %SystemRoot%\System32\drivers\etc directory. SSH1, SSH2 and SSH2 RSA keys are generated. These keys can be regenerated if desired.

To simplify key distribution, the ssh protocol exchanges the public key of a server for identification. The identification keys for ssh servers is stored in a location dependent on the client. Our ssh clients, FortressFX, FortressCL, and our console clients, use the known_hosts file stored in the %APPDATA%\PragmaSSH\ directory for the user running the client. If a server identification key changes, the client may report an error that the server cannot be verified. If the client is positive that this is the correct machine, the old identification key should be removed from the known_hosts file to prevent the error. If the user is not positive of the identification, then the user should NOT connect to the server, as another machine might be intercepting the data. This is known as a man-in-the-middle attack.

It is very critical to guard the private part of any RSA or DSA key. So files such as mymachine and ssh_host_key must be protected by NTFS permissions such that only authorized persons have read or access permission into it. For this reason, we urge that you install ssh packages in secured NTFS file systems.

Like machines, an individual who uses a ssh client, can have an identification key pair, generated by sshkeygen.exe program. This key can be used when connecting to a ssh server using certificate authentication. Our console clients, will use the sshkeygen program. Our GUI clients, FortressFX and FortressCL have their own key mechanism.

During installation of ssh client, the install package automatically generates the keys and stores them in the %APPDATA%\PragmaSSH directory of the user running the install. Additional key sets can be generated any time by running sshkeygen.exe program.

The syntax for sshkeygen is:

sshkeygen [-ceilpqyB] [-t type] [-b bits] [-f file] [-C comment] [-N new-pass] [-P pass]

The options are: