mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-12 21:24:41 +00:00
56 lines
1.7 KiB
Plaintext
56 lines
1.7 KiB
Plaintext
|
How to verify host keys using OpenSSH and DNS
|
||
|
---------------------------------------------
|
||
|
|
||
|
OpenSSH contains experimental support for verifying host keys using DNS
|
||
|
as described in draft-ietf-secsh-dns-xx.txt. The document contains
|
||
|
very brief instructions on how to test this feature. Configuring DNS
|
||
|
and DNSSEC is out of the scope of this document.
|
||
|
|
||
|
|
||
|
(1) Enable DNS fingerprint support in OpenSSH
|
||
|
|
||
|
Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing
|
||
|
|
||
|
CFLAGS+= -DDNS
|
||
|
|
||
|
|
||
|
(2) Generate and publish the DNS RR
|
||
|
|
||
|
To create a DNS resource record (RR) containing a fingerprint of the
|
||
|
public host key, use the following command:
|
||
|
|
||
|
ssh-keygen -r hostname -f keyfile -g
|
||
|
|
||
|
where "hostname" is your fully qualified hostname and "keyfile" is the
|
||
|
file containing the public host key file. If you have multiple keys,
|
||
|
you should generate one RR for each key.
|
||
|
|
||
|
In the example above, ssh-keygen will print the fingerprint in a
|
||
|
generic DNS RR format parsable by most modern name server
|
||
|
implementations. If your nameserver has support for the SSHFP RR, as
|
||
|
defined by the draft, you can omit the -g flag and ssh-keygen will
|
||
|
print a standard RR.
|
||
|
|
||
|
To publish the fingerprint using the DNS you must add the generated RR
|
||
|
to your DNS zone file and sign your zone.
|
||
|
|
||
|
|
||
|
(3) Enable the ssh client to verify host keys using DNS
|
||
|
|
||
|
To enable the ssh client to verify host keys using DNS, you have to
|
||
|
add the following option to the ssh configuration file
|
||
|
($HOME/.ssh/config or /etc/ssh/ssh_config):
|
||
|
|
||
|
VerifyHostKeyDNS yes
|
||
|
|
||
|
Upon connection the client will try to look up the fingerprint RR
|
||
|
using DNS. If the fingerprint received from the DNS server matches
|
||
|
the remote host key, the user will be notified.
|
||
|
|
||
|
|
||
|
Jakob Schlyter
|
||
|
Wesley Griffin
|
||
|
|
||
|
|
||
|
$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
|