Managing Multiple SSH Host Keys per Site in EFT

Overview

EFT now supports assigning multiple SSH host keys to a single SFTP site. This allows EFT administrators to:

  • Support different client security requirements (for example, legacy SSH RSA and modern ECDSA/ED25519 clients) on the same site.

  • Rotate host keys with minimal downtime by keeping old and new keys active during a defined grace period.

  • Avoid creating and managing duplicate sites just to support different host key types.

What Are SSH Host Keys and Why Use Multiple?

An SSH host key is the identity of your SFTP server. When a client connects:

  1. The client connects to your SFTP server.

  2. The server presents one or more host keys.

  3. The client validates the host key against what it has stored or been configured with.

With multiple host keys per site, EFT can present several host keys, and the client and server negotiate which one to use based on both sides supported algorithms. This enables you to:

  • Host legacy and modern key formats on a single site.

  • Support mixed client ecosystems during long migration windows.

  • Perform host key changes with significantly less coordination effort.

Scope of this feature:

  • Applies to site host keys for SFTP/SSH.

  • Allows multiple host key formats to be assigned to the same site.

  • Does not change user-level key behavior; this change is focused on site host keys.

Behavior and Limitations

Maximum Number of Host Keys per Site

  • There is no enforced upper limit on the number of SSH host keys that can be assigned to a site.

  • However, adding many keys can slow the initial SSH handshake, because the client and server must negotiate across more key options.

Best Practice

Limit each site to the minimum practical number of host keys (for example, one legacy RSA key plus one or two modern keys) to balance compatibility and performance.

SSH Host Key Negotiation Order

When a client connects to an EFT SFTP site that has multiple host keys:

  1. If the client explicitly specifies HostKeyAlgorithms, the client’s specified order takes precedence.

  2. If the client does not specify host key algorithms:

    • EFT and the client each present their list of supported host key algorithms.

    • EFT selects the first matching algorithm between the client’s list and the set of host keys configured for the site.

Implications for Administrators

  • If a client must use a particular key type, verify that:

    • The key type is configured on the EFT site.

    • The client supports or explicitly requests that key type via its configuration.

Understanding Key Creation Options in EFT

When you create a new SSH key in EFT, the Create SSH2 Public/Private Key Pair dialog presents three options. These determine how EFT treats the new key and where it will be used:

  • Create as a host key for: <The selected site>

    • Use this when you want the new key to act as a site host key for the selected EFT site.

    • The key is created and immediately assigned to the site as one of its SSH host keys.

    • With the multi-host key enhancement, this option adds the key to the site’s existing host keys instead of replacing them.

    • Choose this when:

      • You are adding a new host key type (for example, RSA/DSA/ECDSA/ED25519) alongside an existing key.

      • You are performing a host key rotation and need both old and new keys valid for a grace period.

  • Create as a client key pair

    • Use this when you need a key pair that a client will use to authenticate to an SFTP server, not as a site host key.

    • EFT generates a public/private key pair intended for client authentication scenarios (for example, EFT connecting out to another SFTP server, or a user authenticating with a key).

    • The generated key pair is not presented as a host key to inbound SFTP clients and is not used as the server’s identity for the site.

  • Just create key pair

    • Use this when you want to generate a key pair without assigning it immediately as a site host key or a client key.

    • EFT creates a standalone key pair that can later be:

      • Assigned as a host key to a site via the SFTP Key Manager, or

      • Used as a client key pair in other configurations.

    • This option is useful when you want to pre-stage keys, test different key types, or manage keys centrally before deciding how they will be used.

How EFT Handles Multiple Site Host Keys

With this feature, EFT changes how it manages site host keys in the following ways:

Creating New Host Keys

  • When you create a new SSH host key and select “Assign to site”, EFT now adds the new key to the site’s existing host keys.

  • The new key does not replace the existing key. Instead, it becomes an additional valid host key for that site.

Assigning Existing Host Keys via SFTP Key Manager

  • You can assign existing host keys to a site using the SFTP Key Manager.

  • Each assigned key is:

    • Added to the site’s list of supported host keys.

    • Marked as assigned to the corresponding site (for example, “assigned to <Site name>”).

NOTE: SSH keys are ranked according to their order in the SFTP Settings window. However, the client has priority during negotiation, so the final negotiated list may not match the order presented by the server.

Deleting Host Keys

  • When you delete a host key in the SFTP Key Manager:

    • The key is also removed from any sites to which it was assigned.

    • Clients relying on that host key will no longer be able to validate the server using that key.

Exporting Host Keys

  • When you export host keys via the SSH Key Manager dialog:

    • EFT exports the selected host key(s).

  • This makes it easier to distribute all relevant public keys to partners at once.

User Interface

  • In the site’s SSH Key Manager settings, EFT displays the list of host keys assigned to the site, typically as a comma separated list of key names.

  • You can view other sites keys by selecting the dropdown menu option under Current site.

Configuring Multiple SSH Host Keys per Site via Site SSH Key Manager

Step 1: Open Site Properties

  1. Launch the EFT administration console.

  2. Select the Site.

  3. Under Connections select the SFTP Config button to configure the site SFTP settings.

  4. Open the site’s SSH Key Manager settings.

Step 2: Create or Import Additional Host Keys

You can either create new keys in EFT or import existing keys.

Create a New Host Key

  1. In the SFTP settings, click Create new key pair.

  2. Enter a name for the SSH key.

  3. Select the desired key type (for example, RSA, DSA, ECDSA, ED25519).

  4. Select the desired key length.

  5. Enter and confirm a password for the key.

  6. Select the Create as host key for: <Site Name> radio button.

  7. Select the Add to site to support multiple host keys radio button.

  8. Complete the wizard and save your changes.

Result: The new host key is added to the list of site host keys. The existing keys remain active.

Import an Existing Host Key

  1. Open the SFTP Settings.

  2. Click on Manage.

  3. Select Import from the SSH Key Manager.

  4. Select and import the key file.

  5. After importing, select the imported key using the checkbox.

  6. Click on the Set Site Key(s) button to associate the key with the site.

NOTE: Public keys cannot be assigned to the site, only keys that include both the private and public keys can be assigned. Failure to import both the private and public keys will result in a dimmed Set Site Key(s) button.

Step 3: Verify the Assigned Host Keys

  1. View the SSH Key Manager Assigned column.

  2. Verify, the SSH key displayed the assigned sites under the Assigned column.

  3. Return to the SFTP Settings dialog.

  4. Confirm that the SFTP private key field lists multiple keys (for example, Site_RSA_Key, Site_ECDSA_Key).

  5. If desired, use the Export function to export all host keys for this site and share the public keys with your SFTP clients.

Step 4: Test Client Connections

  1. Test with a legacy client that expects the older key type (for example, SSH RSA).

  2. Test with a modern client that uses or prefers newer algorithms (for example, ED25519, ECDSA).

  3. For clients that enforce a specific algorithm, configure the client’s host key algorithm preference (for example, HostKeyAlgorithms in OpenSSH).

Confirm that:

  • Both kinds of clients can connect successfully to the same SFTP site.

  • Clients are negotiating the expected host key type.

Performance Considerations and Best Practices

  • Minimize Number of Keys per Site

    • While there is no hard maximum, each additional key increases negotiation overhead. Use only the key types you need to support your client base.

  • Document Client Requirements

    • Some clients, are configured to disconnect if ssh-rsa is present. For such environments:

      • Ensure those clients are configured to prefer or restrict to modern host key algorithms.

      • Consider phasing out older algorithms when no longer required.

  • Plan Key Rotations

    • Announce changes ahead of time.

    • Use a grace period where both keys are valid.

    • Remove deprecated keys only after confirming all necessary clients have migrated.

  • Security Posture

    • Periodically review the host key algorithms in use.

    • Decommission outdated or weak key types when security policies require.