How to verify host keys using OpenSSH and DNS
---------------------------------------------
-OpenSSH contains experimental support for verifying host keys using DNS
-as described in draft-ietf-secsh-dns-xx.txt. The document contains
-very brief instructions on how to test this feature. Configuring DNS
-and DNSSEC is out of the scope of this document.
+OpenSSH contains support for verifying host keys using DNS as described in
+draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
+on how to use this feature. Configuring DNS is out of the scope of this
+document.
-(1) Enable DNS fingerprint support in OpenSSH
-
-Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing
-
- CFLAGS+= -DDNS
-
-
-(2) Generate and publish the DNS RR
+(1) Server: Generate and publish the DNS RR
To create a DNS resource record (RR) containing a fingerprint of the
public host key, use the following command:
In the example above, ssh-keygen will print the fingerprint in a
generic DNS RR format parsable by most modern name server
-implementations. If your nameserver has support for the SSHFP RR, as
-defined by the draft, you can omit the -g flag and ssh-keygen will
-print a standard RR.
+implementations. If your nameserver has support for the SSHFP RR
+you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
To publish the fingerprint using the DNS you must add the generated RR
to your DNS zone file and sign your zone.
-(3) Enable the ssh client to verify host keys using DNS
+(2) Client: Enable ssh to verify host keys using DNS
To enable the ssh client to verify host keys using DNS, you have to
add the following option to the ssh configuration file
Wesley Griffin
-$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
+$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
andersk / openssh.git / blobdiff