HomeDocumentationAPI Reference
Log In
These docs are for v16. Click to read the latest docs for v33.

Trusting Target-Host Identities

Suggest Edits

SSH Target-Host Authentication

For SSH connections, PrivX authenticates target hosts by their SSH host keys.

You can store SSH host keys when creating or editing a host entry via ​Settings→Hosts​​.

When connecting to a host, the key/certificate of which is not yet trusted by PrivX, the connection starts as follows:

  • ​​If no other keys are stored for the host​​: PrivX administrators may accept the new host key for all subsequent connections. Regular PrivX user can accept a new host key if the ​Trust On First Use​​ is enabled for the host.

  • ​​If another key has been stored for the host:​​ Regular PrivX users are prevented from connecting to the host. A PrivX administrator must explicitly accept the key for all subsequent connections.

You can store SSH host keys and set Trust on First Use behavior by editing host entries on the ​Settings→Hosts​​ page.

RDP Target-Host Authentication

For RDP connections, PrivX authenticates target hosts by their RDP-server certificate.

By default, PrivX automatically accepts the certificate encountered upon the first RDP connection. Connections will fail if the RDP-server certificate changes, or is renewed prior to the start of the renewal period. The renewal period starts one month prior to the expiry date. Connection will automatically accept the new certificate during the renewal period.

If connections fails due to the RDP-server certificate changing, you can re-enable by deleting the stored RDP certificate:

  1. On the ​Settings→Hosts​ page, ​Edit​​ the target RDP server.

  2. Under the ​RDP host certificate​ section, click ​​​ 🗑️

    Upon next RDP connection, PrivX automatically accepts the new RDP-server certificate for subsequent RDP connections.

You can adjust the time window during which the RDP-server certificate may be automatically renewed. To do this:

  1. Modify the RDP proxy settings, located at ​​/opt/privx/etc/rdp-proxy.toml​​ on your PrivX servers. Locate and modify the following settings:

    • renewal_period_months​​: Allow RDP-server certificate to be renewed from this many months before the NotAfter field marked in the current RDP-server certificate.

    • ​​renewal_period_days​​: Allow RDP-server certificate to be renewed from this many days before the NotAfter field marked in the current RDP-server certificate.

    These two settings are cumulative. For example, to allow the RDP-server certificate to be renewed from two months and 15 days before the current one expires:

    [certificates]
update_automatically = true​​
renewal_period_months = 2
renewal_period_days = 15​​

  2. Save your changes to the RDP-proxy configuration.

    Restart the PrivX services to apply the new settings:

    # systemctl restart privx

Updated over 3 years ago