1d95e11bfSDag-Erling SmørgravHow to verify host keys using OpenSSH and DNS 2d95e11bfSDag-Erling Smørgrav--------------------------------------------- 3d95e11bfSDag-Erling Smørgrav 4*19261079SEd MasteOpenSSH contains support for verifying host keys using DNS as described 5*19261079SEd Mastein https://tools.ietf.org/html/rfc4255. The document contains very brief 6*19261079SEd Masteinstructions on how to use this feature. Configuring DNS is out of the 7*19261079SEd Mastescope of this document. 8d95e11bfSDag-Erling Smørgrav 9d95e11bfSDag-Erling Smørgrav 10efcad6b7SDag-Erling Smørgrav(1) Server: Generate and publish the DNS RR 11d95e11bfSDag-Erling Smørgrav 12d95e11bfSDag-Erling SmørgravTo create a DNS resource record (RR) containing a fingerprint of the 13d95e11bfSDag-Erling Smørgravpublic host key, use the following command: 14d95e11bfSDag-Erling Smørgrav 15d95e11bfSDag-Erling Smørgrav ssh-keygen -r hostname -f keyfile -g 16d95e11bfSDag-Erling Smørgrav 17d95e11bfSDag-Erling Smørgravwhere "hostname" is your fully qualified hostname and "keyfile" is the 18d95e11bfSDag-Erling Smørgravfile containing the public host key file. If you have multiple keys, 19d95e11bfSDag-Erling Smørgravyou should generate one RR for each key. 20d95e11bfSDag-Erling Smørgrav 21d95e11bfSDag-Erling SmørgravIn the example above, ssh-keygen will print the fingerprint in a 22d95e11bfSDag-Erling Smørgravgeneric DNS RR format parsable by most modern name server 23efcad6b7SDag-Erling Smørgravimplementations. If your nameserver has support for the SSHFP RR 24efcad6b7SDag-Erling Smørgravyou can omit the -g flag and ssh-keygen will print a standard SSHFP RR. 25d95e11bfSDag-Erling Smørgrav 26d95e11bfSDag-Erling SmørgravTo publish the fingerprint using the DNS you must add the generated RR 27d95e11bfSDag-Erling Smørgravto your DNS zone file and sign your zone. 28d95e11bfSDag-Erling Smørgrav 29d95e11bfSDag-Erling Smørgrav 30efcad6b7SDag-Erling Smørgrav(2) Client: Enable ssh to verify host keys using DNS 31d95e11bfSDag-Erling Smørgrav 32d95e11bfSDag-Erling SmørgravTo enable the ssh client to verify host keys using DNS, you have to 33d95e11bfSDag-Erling Smørgravadd the following option to the ssh configuration file 34d95e11bfSDag-Erling Smørgrav($HOME/.ssh/config or /etc/ssh/ssh_config): 35d95e11bfSDag-Erling Smørgrav 36d95e11bfSDag-Erling Smørgrav VerifyHostKeyDNS yes 37d95e11bfSDag-Erling Smørgrav 38d95e11bfSDag-Erling SmørgravUpon connection the client will try to look up the fingerprint RR 39d95e11bfSDag-Erling Smørgravusing DNS. If the fingerprint received from the DNS server matches 40d95e11bfSDag-Erling Smørgravthe remote host key, the user will be notified. 41d95e11bfSDag-Erling Smørgrav 42d95e11bfSDag-Erling Smørgrav 43d95e11bfSDag-Erling Smørgrav Jakob Schlyter 44d95e11bfSDag-Erling Smørgrav Wesley Griffin 45d95e11bfSDag-Erling Smørgrav 46d95e11bfSDag-Erling Smørgrav 47efcad6b7SDag-Erling Smørgrav$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ 48