SSH Host Client clarification

In this documentation for the SSH Host Client, what is considered to be the SSH Host Client? Is this referring to the bastion server(s)? Or is this referring to the target servers which clients are SSH’ing to?

Regarding port 9748, I’m fuzzy on which server needs this ingress rule. Is ingress rule to be applied to the SSH Host Client, or to the pritunl-zero server(s)?

The SSH host client is unrelated to a bastion server. It is a small Python script that allows the Pritunl Zero server to automatically update the SSH host certificate. Typically when connecting to a server with SSH for the first time it will prompt to accept the unknown host certificate. This would configure a host certificate and can be combined with configuring the client to require valid host certificates when connecting.

The Pritunl Zero server would need access to port 9748 on each SSH server running the SSH host client. The SSH host client will connect to the Pritunl Zero server than the Pritunl Zero server will verify the DNS record for the clients hostname matches the IP address for the client with a request sent to port 9748.

Thanks for the clarification. So all remote hosts need to allow ingress on 9748/tcp by pritunl-zero servers. Got it.

As for the documentation on configuration I’m a bit fuzzy. from the documentation:

sudo pritunl-ssh-host config add-token YDtJcjNEs2kjijKIaUDl0WpFS69QAjxs
sudo pritunl-ssh-host config hostname server-one
sudo pritunl-ssh-host config server
  1. Where do we get the initial token?
  2. Which config hostname is being asked for here? The pritunl-zero server?
  3. And config server wants the FQDN for the pritunl-zero server?

I found the token, which becomes available when enabling Host certificates in the Authorities section.

The hostname is the name of the server, it must be unique to each server. It will be combined with the Host Domain in the authority settings. The SSH config requires the format * for matching. The Host Domain will be applied to the SSH configuration matching and all servers will need a name under that domain. These full domains will than need to be configured with a DNS provider to point to each server.

The server is a the domain name for the Pritunl Zero user interface. This must match the User Domain shown in the node settings.

1 Like