[gssapi-openssh.git] / openssh / README.dns

How to verify host keys using OpenSSH and DNS
---------------------------------------------

OpenSSH contains support for verifying host keys using DNS as described in
draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
on how to use this feature. Configuring DNS is out of the scope of this
document.


(1) Server: Generate and publish the DNS RR

To create a DNS resource record (RR) containing a fingerprint of the
public host key, use the following command:

	ssh-keygen -r hostname -f keyfile -g

where "hostname" is your fully qualified hostname and "keyfile" is the
file containing the public host key file. If you have multiple keys,
you should generate one RR for each key.

In the example above, ssh-keygen will print the fingerprint in a
generic DNS RR format parsable by most modern name server
implementations. If your nameserver has support for the SSHFP RR
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.

To publish the fingerprint using the DNS you must add the generated RR
to your DNS zone file and sign your zone.


(2) Client: Enable ssh to verify host keys using DNS

To enable the ssh client to verify host keys using DNS, you have to
add the following option to the ssh configuration file
($HOME/.ssh/config or /etc/ssh/ssh_config):

    VerifyHostKeyDNS yes

Upon connection the client will try to look up the fingerprint RR
using DNS. If the fingerprint received from the DNS server matches
the remote host key, the user will be notified.


	Jakob Schlyter
	Wesley Griffin


$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
Commit	Line	Data
c9307018	1	How to verify host keys using OpenSSH and DNS
	2	---------------------------------------------
	3
540d72c3	4	OpenSSH contains support for verifying host keys using DNS as described in
	5	draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
	6	on how to use this feature. Configuring DNS is out of the scope of this
	7	document.
c9307018	8
c9307018	9
540d72c3	10	(1) Server: Generate and publish the DNS RR
c9307018	11
	12	To create a DNS resource record (RR) containing a fingerprint of the
	13	public host key, use the following command:
	14
	15	ssh-keygen -r hostname -f keyfile -g
	16
	17	where "hostname" is your fully qualified hostname and "keyfile" is the
	18	file containing the public host key file. If you have multiple keys,
	19	you should generate one RR for each key.
	20
	21	In the example above, ssh-keygen will print the fingerprint in a
	22	generic DNS RR format parsable by most modern name server
540d72c3	23	implementations. If your nameserver has support for the SSHFP RR
540d72c3	24	you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
c9307018	25
	26	To publish the fingerprint using the DNS you must add the generated RR
	27	to your DNS zone file and sign your zone.
	28
	29
540d72c3	30	(2) Client: Enable ssh to verify host keys using DNS
c9307018	31
	32	To enable the ssh client to verify host keys using DNS, you have to
	33	add the following option to the ssh configuration file
	34	($HOME/.ssh/config or /etc/ssh/ssh_config):
	35
	36	VerifyHostKeyDNS yes
	37
	38	Upon connection the client will try to look up the fingerprint RR
	39	using DNS. If the fingerprint received from the DNS server matches
	40	the remote host key, the user will be notified.
	41
	42
	43	Jakob Schlyter
	44	Wesley Griffin
	45
	46
540d72c3	47	$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $