Install SSH Host Client

Install Pritunl Zero SSH host client

The Pritunl Zero SSH host client is available on most Linux distributions. The client is a small Python script used to retrieve the SSH host certificate from the Pritunl Zero server. The source code is available in the pritunl-zero-client repository.


After the client is installed it will run every minute from the /etc/cron.d/pritunl-ssh-host file. When the certificate is less then 10 minutes from expiration a new host certificate will be requested from the Pritunl Zero server. Host verification is with a DNS based HTTP challenge similar to the Lets Encrypt verification process. Although the host tokens should be kept private a compromised host token will not effect the validity of host certificates. An attacker will still need a valid DNS entry on the authority domain pointing to their server to retrieve a host certificate.


First the HTTP challenge port 9748 must be open for the Pritunl Zero server. Use the commands below to configure the required settings, these commands can be automated and run multiple times. It is important to add the tokens first as once a certificate is retrieved a new one will not be retrieved until it expires. Once done a certificate will be retrieved in a minute when the cron script runs. The command sudo pritunl-ssh-host can be run to verify it is working. The command sudo pritunl-ssh-host renew can be used to force a certificate renewal. The server hostname must be set to the first part of the servers DNS record. For the server the hostname will be server-one. The domain portion is set in the Pritunl Zero authority settings.

sudo pritunl-ssh-host config add-token YDtJcjNEs2kjijKIaUDl0WpFS69QAjxs
sudo pritunl-ssh-host config hostname server-one
sudo pritunl-ssh-host config server

Automated Route 53 DNS Entry

The host client can automatically update Route 53 records to the public IP address of the host. To do this the Python 2.7 Boto 3 library must be installed. The host does not need to be on AWS for this feature. The safest way to handle AWS credentials is with IAM Roles, the AWS credential commands below can be ignored if the instance has an IAM role configured. The AWS credentials will need permission to read the hosted zones and make changes to the configured zone. The host domain will be the hostname + '.' + route_53_zone. The Route 53 record will be updated every hour.

sudo pritunl-ssh-host config aws-access-key AWS_ACCESS_KEY
sudo pritunl-ssh-host config aws-secret-key AWS_SECRET_KEY
sudo pritunl-ssh-host config route-53-zone


Install the pritunl-ssh-host package on Linux. Refer to the Repositories page for a list of available repositories.