]>
Commit | Line | Data |
---|---|---|
21289cd0 | 1 | How to verify host keys using OpenSSH and DNS |
2 | --------------------------------------------- | |
3 | ||
4 | OpenSSH contains experimental support for verifying host keys using DNS | |
5 | as described in draft-ietf-secsh-dns-xx.txt. The document contains | |
6 | very brief instructions on how to test this feature. Configuring DNS | |
7 | and DNSSEC is out of the scope of this document. | |
8 | ||
9 | ||
10 | (1) Enable DNS fingerprint support in OpenSSH | |
11 | ||
12 | Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing | |
13 | ||
14 | CFLAGS+= -DDNS | |
15 | ||
16 | ||
17 | (2) Generate and publish the DNS RR | |
18 | ||
19 | To create a DNS resource record (RR) containing a fingerprint of the | |
20 | public host key, use the following command: | |
21 | ||
22 | ssh-keygen -r hostname -f keyfile -g | |
23 | ||
24 | where "hostname" is your fully qualified hostname and "keyfile" is the | |
25 | file containing the public host key file. If you have multiple keys, | |
26 | you should generate one RR for each key. | |
27 | ||
28 | In the example above, ssh-keygen will print the fingerprint in a | |
29 | generic DNS RR format parsable by most modern name server | |
30 | implementations. If your nameserver has support for the SSHFP RR, as | |
31 | defined by the draft, you can omit the -g flag and ssh-keygen will | |
32 | print a standard RR. | |
33 | ||
34 | To publish the fingerprint using the DNS you must add the generated RR | |
35 | to your DNS zone file and sign your zone. | |
36 | ||
37 | ||
38 | (3) Enable the ssh client to verify host keys using DNS | |
39 | ||
40 | To enable the ssh client to verify host keys using DNS, you have to | |
41 | add the following option to the ssh configuration file | |
42 | ($HOME/.ssh/config or /etc/ssh/ssh_config): | |
43 | ||
44 | VerifyHostKeyDNS yes | |
45 | ||
46 | Upon connection the client will try to look up the fingerprint RR | |
47 | using DNS. If the fingerprint received from the DNS server matches | |
48 | the remote host key, the user will be notified. | |
49 | ||
50 | ||
51 | Jakob Schlyter | |
52 | Wesley Griffin | |
53 | ||
54 | ||
55 | $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ |