Trusting Target-Host Identities

SSH Target-Host Authentication

For SSH connections, PrivX authenticates target hosts by their SSH host keys.

You can store SSH host keys when creating or editing a host entry via ​Administration→Hosts​​.

When connecting to a host, the key/certificate of which is not yet trusted by PrivX, the connection starts as follows:

  • ​​If no other keys are stored for the host​​: PrivX administrators may accept the new host key for all subsequent connections. Regular PrivX user can accept a new host key if the ​Trust On First Use​​ is enabled for the host.

  • ​​If another key has been stored for the host:​​ Regular PrivX users are prevented from connecting to the host. A PrivX administrator must explicitly accept the key for all subsequent connections.

You can store SSH host keys and set Trust on First Use behavior by editing host entries on the ​Administration→Hosts​​ page.

RDP Target-Host Authentication

For RDP connections, PrivX authenticates target hosts by their RDP-server certificate.

You can add trusted server certificates and/or trusted CA certificates as follows:

  • To add globally trusted certificates or CAs, go to Administration→Settings→Global, and under the RDP common section, paste the certificates to Host certificate trust anchors.

  • To add access-group-specific trusted certificates or CAs, go to Administration→Access Groups, and Edit the desired access group's Host certificate trust anchors.

📘

Note

Added certificates must be direct issuers of the host certificates or host certificates themselves. Multilevel CA hierarchies are not supported.

By default, PrivX automatically accepts the certificate encountered upon the first RDP connection. Connections will fail if the RDP-server certificate changes, or is renewed prior to the start of the renewal period. The renewal period starts one month prior to the expiry date. Connection will automatically accept the new certificate during the renewal period.

If connections fails due to the RDP-server certificate changing, you can re-enable by deleting the stored RDP certificate:

  1. On the ​Administration→Hosts​ page, ​Edit​​ the target RDP server.

  2. Under the ​RDP host certificate​ section, click ​​​ 🗑️

    Upon next RDP connection, PrivX automatically accepts the new RDP-server certificate for subsequent RDP connections.

You can adjust the time window during which the RDP-server certificate may be automatically renewed. To do this:

  1. Modify the RDP proxy settings, located at Administration→Settings→RDP Proxy on your PrivX servers. Locate and modify the following settings:

    • Renewal period (months)​​: Allow RDP-server certificate to be renewed from this many months before the NotAfter field marked in the current RDP-server certificate.

    • ​​Renewal period (days)​​: Allow RDP-server certificate to be renewed from this many days before the NotAfter field marked in the current RDP-server certificate.

    These two settings are cumulative. For example, to allow the RDP-server certificate to be renewed from two months and 15 days before the current one expires:

    Renewal period (months): 2
    Renewal period (days): 15​​
    
  2. Save your changes to the RDP-proxy configuration.

    Restart the PrivX services to apply the new settings:

    # systemctl restart privx
    

    or by clicking the Restart button on the Administration→Settings.


Did this page help you?