mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 01:50:16 +00:00
- jakob@cvs.openbsd.org 2003/10/14 19:43:23
[README.dns] update Resynced with OpenBSD too: DNSFP support is now always compiled in so the configure support (and documentation thereof) can go away.
This commit is contained in:
parent
dda19d63ff
commit
64b77bcb4b
@ -33,6 +33,9 @@
|
||||
- jakob@cvs.openbsd.org 2003/10/14 19:42:10
|
||||
[dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
|
||||
include SSHFP lookup code (not enabled by default). ok markus@
|
||||
- jakob@cvs.openbsd.org 2003/10/14 19:43:23
|
||||
[README.dns]
|
||||
update
|
||||
|
||||
20031009
|
||||
- (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@
|
||||
@ -1350,4 +1353,4 @@
|
||||
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
|
||||
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
|
||||
|
||||
$Id: ChangeLog,v 1.3077 2003/10/15 06:00:47 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.3078 2003/10/15 06:07:53 dtucker Exp $
|
||||
|
23
README.dns
23
README.dns
@ -1,17 +1,13 @@
|
||||
How to verify host keys using OpenSSH and DNS
|
||||
---------------------------------------------
|
||||
|
||||
OpenSSH contains experimental support for verifying host keys using DNS
|
||||
as described in draft-ietf-secsh-dns-xx.txt. The document contains
|
||||
very brief instructions on how to test this feature. Configuring DNS
|
||||
and DNSSEC is out of the scope of this document.
|
||||
OpenSSH contains support for verifying host keys using DNS as described in
|
||||
draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
|
||||
on how to use this feature. Configuring DNS is out of the scope of this
|
||||
document.
|
||||
|
||||
|
||||
(1) Enable DNS fingerprint support in OpenSSH
|
||||
|
||||
configure --with-dns
|
||||
|
||||
(2) Generate and publish the DNS RR
|
||||
(1) Server: Generate and publish the DNS RR
|
||||
|
||||
To create a DNS resource record (RR) containing a fingerprint of the
|
||||
public host key, use the following command:
|
||||
@ -24,15 +20,14 @@ you should generate one RR for each key.
|
||||
|
||||
In the example above, ssh-keygen will print the fingerprint in a
|
||||
generic DNS RR format parsable by most modern name server
|
||||
implementations. If your nameserver has support for the SSHFP RR, as
|
||||
defined by the draft, you can omit the -g flag and ssh-keygen will
|
||||
print a standard RR.
|
||||
implementations. If your nameserver has support for the SSHFP RR
|
||||
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
|
||||
|
||||
To publish the fingerprint using the DNS you must add the generated RR
|
||||
to your DNS zone file and sign your zone.
|
||||
|
||||
|
||||
(3) Enable the ssh client to verify host keys using DNS
|
||||
(2) Client: Enable ssh to verify host keys using DNS
|
||||
|
||||
To enable the ssh client to verify host keys using DNS, you have to
|
||||
add the following option to the ssh configuration file
|
||||
@ -49,4 +44,4 @@ the remote host key, the user will be notified.
|
||||
Wesley Griffin
|
||||
|
||||
|
||||
$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
|
||||
$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
|
||||
|
Loading…
Reference in New Issue
Block a user