]>
Commit | Line | Data |
---|---|---|
1 | How to verify host keys using OpenSSH and DNS | |
2 | --------------------------------------------- | |
3 | ||
4 | OpenSSH contains support for verifying host keys using DNS as described in | |
5 | draft-ietf-secsh-dns-05.txt. The document contains very brief instructions | |
6 | on how to use this feature. Configuring DNS is out of the scope of this | |
7 | document. | |
8 | ||
9 | ||
10 | (1) Server: Generate and publish the DNS RR | |
11 | ||
12 | To create a DNS resource record (RR) containing a fingerprint of the | |
13 | public host key, use the following command: | |
14 | ||
15 | ssh-keygen -r hostname -f keyfile -g | |
16 | ||
17 | where "hostname" is your fully qualified hostname and "keyfile" is the | |
18 | file containing the public host key file. If you have multiple keys, | |
19 | you should generate one RR for each key. | |
20 | ||
21 | In the example above, ssh-keygen will print the fingerprint in a | |
22 | generic DNS RR format parsable by most modern name server | |
23 | implementations. If your nameserver has support for the SSHFP RR | |
24 | you can omit the -g flag and ssh-keygen will print a standard SSHFP RR. | |
25 | ||
26 | To publish the fingerprint using the DNS you must add the generated RR | |
27 | to your DNS zone file and sign your zone. | |
28 | ||
29 | ||
30 | (2) Client: Enable ssh to verify host keys using DNS | |
31 | ||
32 | To enable the ssh client to verify host keys using DNS, you have to | |
33 | add the following option to the ssh configuration file | |
34 | ($HOME/.ssh/config or /etc/ssh/ssh_config): | |
35 | ||
36 | VerifyHostKeyDNS yes | |
37 | ||
38 | Upon connection the client will try to look up the fingerprint RR | |
39 | using DNS. If the fingerprint received from the DNS server matches | |
40 | the remote host key, the user will be notified. | |
41 | ||
42 | ||
43 | Jakob Schlyter | |
44 | Wesley Griffin | |
45 | ||
46 | ||
47 | $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ |