Introduction
I recently learnt (Thanks Jacomo!) that public parts of ssh host keys can be put in the DNS system, using SSHFP record.
Here are a few notes on this topic.
Having ssh-keygen propose SSHFP record content
ssh-keygen -r hostname [-f public-key-file] proposes a complete zone file line for hostname:
test -f /etc/ssh/ssh_host_rsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_rsa_key.pub test -f /etc/ssh/ssh_host_dsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_dsa_key.pub test -f /etc/ssh/ssh_host_ecdsa_key.pub && ssh-keygen -r www -f /etc/ssh/ssh_host_ecdsa_key.pub
Manual extraction of SSHFP records contents from /etc/ssh/ssh_host_*_key.pub
To generate the values for the SSHFP records of a host, use these commands:
# public DSA key if [ -f /etc/ssh/ssh_host_rsa_key.pub ] ; then echo -n "1 1 " cat /etc/ssh/ssh_host_rsa_key.pub |cut -f2 -d' ' |openssl base64 -d -A |openssl sha1 |cut -f2 -d' ' fi # public RSA key if [ -f /etc/ssh/ssh_host_dsa_key.pub ] ; then echo -n "2 1 " cat /etc/ssh/ssh_host_dsa_key.pub |cut -f2 -d' ' |openssl base64 -d -A |openssl sha1 |cut -f2 -d' ' fi
Telling ssh to respect SSHFP records
In /etc/ssh/ssh_config or ~/.ssh/config or with -o set the VerifyHostKeyDNS option to yes::
VerifyHostKeyDNS yes
Values are:
- yes: trust keys that match the SSHDS record
- ask: check the SSHDS record and display the result, but still ask whether the key is to be trusted
- no (default): do not check SSHDS records at all
Depending on the value of StrictHostKeyChecking untrusted keys are refused (yes), asked (ask), or accepted with a fat warning (no).
Retrieving records
To retrieve SSHFP records "raw", dig it:
dig www.clazzes.org SSHFP
Further reading
- How-To from Frillip's BLog: https://frillip.com/blog/2012/03/howto-dns-sshfp-records-and-ssh-fingerprints/
- RFCs: RFC4255 introduced SSHFP, RFC6594 added support for ECDSA keys
- German Wikipedia entry on SSHFP records