Resolving the "Host Key Validation" error when adding ASG/ProxySG device.
search cancel

Resolving the "Host Key Validation" error when adding ASG/ProxySG device.

book

Article ID: 231107

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

Host key validation is a feature of the SSH protocol. Host key validation is designed to prevent devices from impersonating legitimate servers in an attempt to steal credentials and data (man-in-the-middle attack). To prevent such attacks, each device has a unique host key that can be used to establish the identity of the host. If a device supports it, Symantec recommends that you enable host key validation because the method can warn you of a man-in-the-middle attack. In that case, Management Center notes that host verification failed and prompts you to verify the SSH host
fingerprint.

Resolution

For the "Host Verification Failed" error received, for adding ASG/ProxySG to MC, please, see the below.

If the preview is 1024 bytes and the origin response is 1025 bytes (and the ICAP server responds with 100-continue), then these chunks would appear on the wire:

You can verify the host fingerprint using one of the following methods:

  • Enter the following command from a terminal that has a trusted network path to the device:
    # ssh keygen-lf <(ssh-keyscan device_ip 2>/dev/null)
    The system displays the host key.
  • Do the following from the device's serial connection:
    1. Enter the following command:# (config ssh-console) view host-public-key sshv2
    2. Copy the output to a file, for example, /tmp/hostkey.
    3. Enter the following command from a system running OpenSSH 7.2:

# ssh-keygen -l -e sha256 -f /tmp/hostkeyThe system displays the host key.

From the Management Center, ensure to select the "System-defined: default" SSL Context Override option, to have the "Host Key Validation" error resolved. See snippet below, for the expected settings.

Ensure the device name is unique (not the same used in the previous device add, for the same appliance). Do not forget to click the "Save" button.

Device has now been successfully added to the MC, using the public key. See snippet below.

Additional Information

It should be noted that if port 8082 is used to manage devices, it does not have the same access level as port 22 (because of the enable password in CLI), and as such, certain operations such as executing scripts from Management Center to either Content Analysis System or ProxySG may fail with "Invalid Credentials" error.  This is especially common if an older release of Content Analysis System was upgraded to a newer release, as on older releases of CAS an enable password was not mandatory.

Powered by Wolken Software