2004-01-07 12:10:17 +01:00
|
|
|
How to verify host keys using OpenSSH and DNS
|
|
|
|
---------------------------------------------
|
|
|
|
|
2021-02-14 22:04:52 +01:00
|
|
|
OpenSSH contains support for verifying host keys using DNS as described
|
|
|
|
in https://tools.ietf.org/html/rfc4255. The document contains very brief
|
|
|
|
instructions on how to use this feature. Configuring DNS is out of the
|
|
|
|
scope of this document.
|
2004-01-07 12:10:17 +01:00
|
|
|
|
|
|
|
|
2004-02-26 11:38:49 +01:00
|
|
|
(1) Server: Generate and publish the DNS RR
|
2004-01-07 12:10:17 +01:00
|
|
|
|
|
|
|
To create a DNS resource record (RR) containing a fingerprint of the
|
|
|
|
public host key, use the following command:
|
|
|
|
|
|
|
|
ssh-keygen -r hostname -f keyfile -g
|
|
|
|
|
|
|
|
where "hostname" is your fully qualified hostname and "keyfile" is the
|
|
|
|
file containing the public host key file. If you have multiple keys,
|
|
|
|
you should generate one RR for each key.
|
|
|
|
|
|
|
|
In the example above, ssh-keygen will print the fingerprint in a
|
|
|
|
generic DNS RR format parsable by most modern name server
|
2004-02-26 11:38:49 +01:00
|
|
|
implementations. If your nameserver has support for the SSHFP RR
|
|
|
|
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
|
2004-01-07 12:10:17 +01:00
|
|
|
|
|
|
|
To publish the fingerprint using the DNS you must add the generated RR
|
|
|
|
to your DNS zone file and sign your zone.
|
|
|
|
|
|
|
|
|
2004-02-26 11:38:49 +01:00
|
|
|
(2) Client: Enable ssh to verify host keys using DNS
|
2004-01-07 12:10:17 +01:00
|
|
|
|
|
|
|
To enable the ssh client to verify host keys using DNS, you have to
|
|
|
|
add the following option to the ssh configuration file
|
|
|
|
($HOME/.ssh/config or /etc/ssh/ssh_config):
|
|
|
|
|
|
|
|
VerifyHostKeyDNS yes
|
|
|
|
|
|
|
|
Upon connection the client will try to look up the fingerprint RR
|
|
|
|
using DNS. If the fingerprint received from the DNS server matches
|
|
|
|
the remote host key, the user will be notified.
|
|
|
|
|
|
|
|
|
|
|
|
Jakob Schlyter
|
|
|
|
Wesley Griffin
|
|
|
|
|
|
|
|
|
2004-02-26 11:38:49 +01:00
|
|
|
$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
|