mirror of
				https://github.com/PowerShell/Win32-OpenSSH.git
				synced 2025-10-25 17:53:59 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			48 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			48 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| How to verify host keys using OpenSSH and DNS
 | |
| ---------------------------------------------
 | |
| 
 | |
| OpenSSH contains support for verifying host keys using DNS as described in
 | |
| draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
 | |
| on how to use this feature. Configuring DNS is out of the scope of this
 | |
| document.
 | |
| 
 | |
| 
 | |
| (1) Server: Generate and publish the DNS RR
 | |
| 
 | |
| To create a DNS resource record (RR) containing a fingerprint of the
 | |
| public host key, use the following command:
 | |
| 
 | |
| 	ssh-keygen -r hostname -f keyfile -g
 | |
| 
 | |
| where "hostname" is your fully qualified hostname and "keyfile" is the
 | |
| file containing the public host key file. If you have multiple keys,
 | |
| you should generate one RR for each key.
 | |
| 
 | |
| In the example above, ssh-keygen will print the fingerprint in a
 | |
| generic DNS RR format parsable by most modern name server
 | |
| implementations. If your nameserver has support for the SSHFP RR
 | |
| you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
 | |
| 
 | |
| To publish the fingerprint using the DNS you must add the generated RR
 | |
| to your DNS zone file and sign your zone.
 | |
| 
 | |
| 
 | |
| (2) Client: Enable ssh to verify host keys using DNS
 | |
| 
 | |
| To enable the ssh client to verify host keys using DNS, you have to
 | |
| add the following option to the ssh configuration file
 | |
| ($HOME/.ssh/config or /etc/ssh/ssh_config):
 | |
| 
 | |
|     VerifyHostKeyDNS yes
 | |
| 
 | |
| Upon connection the client will try to look up the fingerprint RR
 | |
| using DNS. If the fingerprint received from the DNS server matches
 | |
| the remote host key, the user will be notified.
 | |
| 
 | |
| 
 | |
| 	Jakob Schlyter
 | |
| 	Wesley Griffin
 | |
| 
 | |
| 
 | |
| $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
 |