53 lines
1.7 KiB
Plaintext
53 lines
1.7 KiB
Plaintext
How to verify host keys using OpenSSH and DNS
|
|
---------------------------------------------
|
|
|
|
OpenSSH contains experimental support for verifying host keys using DNS
|
|
as described in draft-ietf-secsh-dns-xx.txt. The document contains
|
|
very brief instructions on how to test this feature. Configuring DNS
|
|
and DNSSEC is out of the scope of this document.
|
|
|
|
|
|
(1) Enable DNS fingerprint support in OpenSSH
|
|
|
|
configure --with-dns
|
|
|
|
(2) Generate and publish the DNS RR
|
|
|
|
To create a DNS resource record (RR) containing a fingerprint of the
|
|
public host key, use the following command:
|
|
|
|
ssh-keygen -r hostname -f keyfile -g
|
|
|
|
where "hostname" is your fully qualified hostname and "keyfile" is the
|
|
file containing the public host key file. If you have multiple keys,
|
|
you should generate one RR for each key.
|
|
|
|
In the example above, ssh-keygen will print the fingerprint in a
|
|
generic DNS RR format parsable by most modern name server
|
|
implementations. If your nameserver has support for the SSHFP RR, as
|
|
defined by the draft, you can omit the -g flag and ssh-keygen will
|
|
print a standard RR.
|
|
|
|
To publish the fingerprint using the DNS you must add the generated RR
|
|
to your DNS zone file and sign your zone.
|
|
|
|
|
|
(3) Enable the ssh client to verify host keys using DNS
|
|
|
|
To enable the ssh client to verify host keys using DNS, you have to
|
|
add the following option to the ssh configuration file
|
|
($HOME/.ssh/config or /etc/ssh/ssh_config):
|
|
|
|
VerifyHostKeyDNS yes
|
|
|
|
Upon connection the client will try to look up the fingerprint RR
|
|
using DNS. If the fingerprint received from the DNS server matches
|
|
the remote host key, the user will be notified.
|
|
|
|
|
|
Jakob Schlyter
|
|
Wesley Griffin
|
|
|
|
|
|
$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
|