...
No Format |
---|
test -f /etc/ssh/ssh_host_rsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_rsa_key.pub test -f /etc/ssh/ssh_host_dsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_dsa_key.pub test -f /etc/ssh/ssh_host_ecdsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_ecdsa_key.pub |
Unfortunately, ssh-keygen -r is usually one algorithm behind ssh-keygen, therefore we usually use the openssl method shown in the next paragraph.
Manual extraction of SSHFP records contents from /etc/ssh/ssh_host_*_key.pub
To generate the values for the SSHFP records of a host, use these commands:
No Format |
---|
# public DSA keyHN=$(hostname -s) I="1" for ALGO in rsa dsa ecdsa ; do if [ -f /etc/ssh/ssh_host_rsa${ALGO}_key.pub ] ; then echo -n "1$HN SSHFP $I 1 " ; catawk '{print $2}' /etc/ssh/ssh_host_rsa${ALGO}_key.pub |cut -f2 -d' ' |openssl base64 -d -A | openssl sha1 |cut -f2 -d' ' fi # public RSA keyecho if [ -f /etc/ssh/ssh_host_dsa_key.pub ] ; then echo -n "2 1 " cat n "$HN SSHFP $I 2 " ; awk '{print $2}' /etc/ssh/ssh_host_dsa${ALGO}_key.pub |cut -f2 -d' ' |openssl base64 -d -A | openssl sha1sha256 |cut -f2 -d' ' fi I=$(($I+1)) done |
Telling ssh to respect SSHFP records
...
No Format |
---|
dig www.clazzes.org SSHFP |
OpenSSH Options to use SSHFP records
To turn on SSHFP activities, VerifyHostKeyDNS
must be set to ask
or yes
.
Consider setting StrictHostKeyChecking
to ask
or yes
, too.
Due to a lack of trust into the DNS system, and propably to avoid parsing OS-specifics like resolv.conf
, up until recently one had to use full canonical hostname for the SSHFP check to match. The following paragraph describes the solution introduced with OpenSSH 6.5.
OpenSSH 6.5 to allow using non-canonical hostnames
From OpenSSH 6.5 on (Debian: wheezy-backports) it's possible to enable canonicalization by the ssh client.
Here is a list of the Canonical*
options of OpenSSH 6.5, with default values leading the paragraphs and my example values afterwords:
No Format |
---|
#CanonicalDomains
CanonicalDomains internal.site.mydomain.foo mydomain.foo partners.mydomain.foo
#CanonicalizeFallbackLocal no
CanonicalizeFallbackLocal yes
#CanonicalizeHostname no
#CanonicalizeHostname yes
CanonicalizeHostname always
CanonicalizeMaxDots 1
CanonicalizePermittedCNAMEs *.mydomain.foo:* |
This approach should only be used if the nameservers can be trusted, i.e. you only use your own well-managed DNSes or the domains are protected by DNSSEC.
Further reading
- How-To from Frillip's BLog: https://frillip.com/blog/2012/03/howto-dns-sshfp-records-and-ssh-fingerprints/
- RFCs: RFC4255 introduced SSHFP, RFC6594 added support for ECDSA keys
- German Wikipedia entry on SSHFP records
...