Versions Compared

Old Version 4

changes.mady.by.user Christoph Lechleitner

Saved on

compared with

New Version 5

changes.mady.by.user Christoph Lechleitner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Canonical* infos

...

No Format
test -f /etc/ssh/ssh_host_rsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_rsa_key.pub
test -f /etc/ssh/ssh_host_dsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_dsa_key.pub
test -f /etc/ssh/ssh_host_ecdsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_ecdsa_key.pub

Unfortunately, ssh-keygen -r is usually one algorithm behind ssh-keygen, therefore we usually use the openssl method shown in the next paragraph.

Manual extraction of SSHFP records contents from /etc/ssh/ssh_host_*_key.pub

To generate the values for the SSHFP records of a host, use these commands:

No Format
# public DSA keyHN=$(hostname -s)
I="1"
for ALGO in rsa dsa ecdsa ; do
  if [ -f /etc/ssh/ssh_host_rsa${ALGO}_key.pub ] ; then
    echo -n "1$HN SSHFP $I 1 " ;  catawk '{print $2}' /etc/ssh/ssh_host_rsa${ALGO}_key.pub |cut -f2 -d' ' |openssl base64 -d -A | openssl sha1   |cut -f2 -d' '
fi # public RSA keyecho if [ -f /etc/ssh/ssh_host_dsa_key.pub ] ; then
  echo -n "2 1 "
  cat n "$HN SSHFP $I 2 " ; awk '{print $2}' /etc/ssh/ssh_host_dsa${ALGO}_key.pub  |cut -f2 -d' ' |openssl base64 -d -A | openssl sha1sha256 |cut -f2 -d' '
  fi
  I=$(($I+1))
done

Telling ssh to respect SSHFP records

...

No Format
dig www.clazzes.org SSHFP

OpenSSH Options to use SSHFP records

To turn on SSHFP activities, VerifyHostKeyDNS must be set to ask or yes.

Consider setting StrictHostKeyChecking to ask or yes, too.

Due to a lack of trust into the DNS system, and propably to avoid parsing OS-specifics like resolv.conf, up until recently one had to use full canonical hostname for the SSHFP check to match. The following paragraph describes the solution introduced with OpenSSH 6.5.

OpenSSH 6.5 to allow using non-canonical hostnames

From OpenSSH 6.5 on (Debian: wheezy-backports) it's possible to enable canonicalization by the ssh client.

Here is a list of the Canonical* options of OpenSSH 6.5, with default values leading the paragraphs and my example values afterwords:

No Format
#CanonicalDomains
CanonicalDomains internal.site.mydomain.foo mydomain.foo partners.mydomain.foo 

#CanonicalizeFallbackLocal no
CanonicalizeFallbackLocal yes

#CanonicalizeHostname no
#CanonicalizeHostname yes
CanonicalizeHostname always

CanonicalizeMaxDots 1

CanonicalizePermittedCNAMEs *.mydomain.foo:*

This approach should only be used if the nameservers can be trusted, i.e. you only use your own well-managed DNSes or the domains are protected by DNSSEC.

Further reading

...