Skip to main content

Configuring the SSH Product-Preference Order

On a host installed with multiple SSH products, Key Manager designates one of the installed SSH clients and one of the installed SSH servers as the preferred SSH client and the preferred SSH server of the host (collectively referred to as preferred SSH products). This has the following impact on management actions:

  • New authorizations added via Key Manager are always added for the preferred SSH products of each host. New private keys are added for the preferred SSH client on the source host, and authorized keys are added for the preferred SSH server on the destination host.

  • Keys that may belong to multiple SSH products are registered as belonging to the preferred SSH products.

    As one example, SSH keys may belong to multiple SSH products when they are configured with the same SSH key locations. In such cases, Key Manager regards such keys to belong to the preferred SSH products.

By default, the SSH product-preference order is as follows (in descending order of preference):

  1. Tectia SSH for Unix and Windows (ssh-g3)
  2. Tectia Server for IBM z/OS (ssh-g2)
  3. Centrify OpenSSH (centrifydc-openssh)
  4. Attachmate RSIT (attachmate-rsit)
  5. Quest OpenSSH (quest-openssh)
  6. OpenSSH and SunSSH (openssh)

For example, with the default SSH product-preference order, a host that has been installed with Tectia SSH and OpenSSH would have Tectia SSH designated as its preferred SSH product. On a host with Centrify OpenSSH, Quest OpenSSH, and OpenSSH installed, Centrify OpenSSH is designated as the preferred SSH product.

The preferred SSH client and the preferred SSH server are resolved independently: For example, assume a host is installed with Tectia SSH Server, OpenSSH client, and OpenSSH server. Using the default SSH product-preference order, OpenSSH client is designated as the preferred SSH client, and Tectia SSH Server is designated as the preferred SSH server on the example host.

You can change the SSH product-preference order by performing the following on all Key Manager back ends:

  1. Open the local-settings file /opt/sshmgr/app/localsettings.py. In the local-settings file, find the PRODUCT_PREFERENCE_ORDER variable.

    If PRODUCT_PREFERENCE_ORDER does not exist in /opt/sshmgr/app/localsettings.py, you can add it according to the instructions in the following steps.

  2. Specify PRODUCT_PREFERENCE_ORDER to change the SSH product-preference order. The syntax is as follows:

    PRODUCT_PREFERENCE_ORDER = ['product_1', 'product_2', ..., 'product_n']

    The SSH products specified earlier in the list are preferred over those specified later in the list.

    For example, specifying all supported SSH products in some order of preference:

    PRODUCT_PREFERENCE_ORDER = [
    'ssh-g3', 'ssh-g2', 'centrifydc-openssh', 'attachmate-rsit',
    'quest-openssh', 'openssh']

    If you specify only a subset of the supported SSH products, any unspecified SSH products are placed at a lower order of preference than the specified SSH products. The order among unspecified SSH products is similar to the default order.

    As an example, if you specify the following SSH products:

    PRODUCT_PREFERENCE_ORDER = [
    'openssh', 'ssh-g3', 'quest-openssh']

    The resulting SSH product-preference order would be:

    a. OpenSSH and SunSSH (openssh)

    b. Tectia SSH for Unix and Windows (ssh-g3)

    c. Quest OpenSSH (quest-openssh)

    d. Tectia Server for IBM z/OS (ssh-g2)

    e. Centrify OpenSSH (centrifydc-openssh)

    f. Attachmate RSIT (attachmate-rsit)

  3. Save the changes to the local-settings file. Then restart the Key Manager back end to apply the changes:

    # supervisorctl restart backend: