[openssh.git] / README.dns

How to verify host keys using OpenSSH and DNS
---------------------------------------------

OpenSSH contains experimental support for verifying host keys using DNS
as described in draft-ietf-secsh-dns-xx.txt. The document contains
very brief instructions on how to test this feature. Configuring DNS
and DNSSEC is out of the scope of this document.


(1) Enable DNS fingerprint support in OpenSSH

Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing

	CFLAGS+= -DDNS


(2) Generate and publish the DNS RR

To create a DNS resource record (RR) containing a fingerprint of the
public host key, use the following command:

	ssh-keygen -r hostname -f keyfile -g

where "hostname" is your fully qualified hostname and "keyfile" is the
file containing the public host key file. If you have multiple keys,
you should generate one RR for each key.

In the example above, ssh-keygen will print the fingerprint in a
generic DNS RR format parsable by most modern name server
implementations. If your nameserver has support for the SSHFP RR, as
defined by the draft, you can omit the -g flag and ssh-keygen will
print a standard RR.

To publish the fingerprint using the DNS you must add the generated RR
to your DNS zone file and sign your zone.


(3) Enable the ssh client to verify host keys using DNS

To enable the ssh client to verify host keys using DNS, you have to
add the following option to the ssh configuration file
($HOME/.ssh/config or /etc/ssh/ssh_config):

    VerifyHostKeyDNS yes

Upon connection the client will try to look up the fingerprint RR
using DNS. If the fingerprint received from the DNS server matches
the remote host key, the user will be notified.


	Jakob Schlyter
	Wesley Griffin


$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
Commit	Line	Data
21289cd0	1	How to verify host keys using OpenSSH and DNS
	2	---------------------------------------------
	3
	4	OpenSSH contains experimental support for verifying host keys using DNS
	5	as described in draft-ietf-secsh-dns-xx.txt. The document contains
	6	very brief instructions on how to test this feature. Configuring DNS
	7	and DNSSEC is out of the scope of this document.
	8
	9
	10	(1) Enable DNS fingerprint support in OpenSSH
	11
	12	Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing
	13
	14	CFLAGS+= -DDNS
	15
	16
	17	(2) Generate and publish the DNS RR
	18
	19	To create a DNS resource record (RR) containing a fingerprint of the
	20	public host key, use the following command:
	21
	22	ssh-keygen -r hostname -f keyfile -g
	23
	24	where "hostname" is your fully qualified hostname and "keyfile" is the
	25	file containing the public host key file. If you have multiple keys,
	26	you should generate one RR for each key.
	27
	28	In the example above, ssh-keygen will print the fingerprint in a
	29	generic DNS RR format parsable by most modern name server
	30	implementations. If your nameserver has support for the SSHFP RR, as
	31	defined by the draft, you can omit the -g flag and ssh-keygen will
	32	print a standard RR.
	33
	34	To publish the fingerprint using the DNS you must add the generated RR
	35	to your DNS zone file and sign your zone.
	36
	37
	38	(3) Enable the ssh client to verify host keys using DNS
	39
	40	To enable the ssh client to verify host keys using DNS, you have to
	41	add the following option to the ssh configuration file
	42	($HOME/.ssh/config or /etc/ssh/ssh_config):
	43
	44	VerifyHostKeyDNS yes
	45
	46	Upon connection the client will try to look up the fingerprint RR
	47	using DNS. If the fingerprint received from the DNS server matches
	48	the remote host key, the user will be notified.
	49
	50
	51	Jakob Schlyter
	52	Wesley Griffin
	53
	54
	55	$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $