mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 10:00:14 +00:00
- jakob@cvs.openbsd.org 2003/10/14 19:43:23
[README.dns] update Resynced with OpenBSD too: DNSFP support is now always compiled in so the configure support (and documentation thereof) can go away.
This commit is contained in:
parent
dda19d63ff
commit
64b77bcb4b
@ -33,6 +33,9 @@
|
|||||||
- jakob@cvs.openbsd.org 2003/10/14 19:42:10
|
- jakob@cvs.openbsd.org 2003/10/14 19:42:10
|
||||||
[dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
|
[dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
|
||||||
include SSHFP lookup code (not enabled by default). ok markus@
|
include SSHFP lookup code (not enabled by default). ok markus@
|
||||||
|
- jakob@cvs.openbsd.org 2003/10/14 19:43:23
|
||||||
|
[README.dns]
|
||||||
|
update
|
||||||
|
|
||||||
20031009
|
20031009
|
||||||
- (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@
|
- (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@
|
||||||
@ -1350,4 +1353,4 @@
|
|||||||
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
|
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
|
||||||
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
|
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
|
||||||
|
|
||||||
$Id: ChangeLog,v 1.3077 2003/10/15 06:00:47 dtucker Exp $
|
$Id: ChangeLog,v 1.3078 2003/10/15 06:07:53 dtucker Exp $
|
||||||
|
23
README.dns
23
README.dns
@ -1,17 +1,13 @@
|
|||||||
How to verify host keys using OpenSSH and DNS
|
How to verify host keys using OpenSSH and DNS
|
||||||
---------------------------------------------
|
---------------------------------------------
|
||||||
|
|
||||||
OpenSSH contains experimental support for verifying host keys using DNS
|
OpenSSH contains support for verifying host keys using DNS as described in
|
||||||
as described in draft-ietf-secsh-dns-xx.txt. The document contains
|
draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
|
||||||
very brief instructions on how to test this feature. Configuring DNS
|
on how to use this feature. Configuring DNS is out of the scope of this
|
||||||
and DNSSEC is out of the scope of this document.
|
document.
|
||||||
|
|
||||||
|
|
||||||
(1) Enable DNS fingerprint support in OpenSSH
|
(1) Server: Generate and publish the DNS RR
|
||||||
|
|
||||||
configure --with-dns
|
|
||||||
|
|
||||||
(2) Generate and publish the DNS RR
|
|
||||||
|
|
||||||
To create a DNS resource record (RR) containing a fingerprint of the
|
To create a DNS resource record (RR) containing a fingerprint of the
|
||||||
public host key, use the following command:
|
public host key, use the following command:
|
||||||
@ -24,15 +20,14 @@ you should generate one RR for each key.
|
|||||||
|
|
||||||
In the example above, ssh-keygen will print the fingerprint in a
|
In the example above, ssh-keygen will print the fingerprint in a
|
||||||
generic DNS RR format parsable by most modern name server
|
generic DNS RR format parsable by most modern name server
|
||||||
implementations. If your nameserver has support for the SSHFP RR, as
|
implementations. If your nameserver has support for the SSHFP RR
|
||||||
defined by the draft, you can omit the -g flag and ssh-keygen will
|
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
|
||||||
print a standard RR.
|
|
||||||
|
|
||||||
To publish the fingerprint using the DNS you must add the generated RR
|
To publish the fingerprint using the DNS you must add the generated RR
|
||||||
to your DNS zone file and sign your zone.
|
to your DNS zone file and sign your zone.
|
||||||
|
|
||||||
|
|
||||||
(3) Enable the ssh client to verify host keys using DNS
|
(2) Client: Enable ssh to verify host keys using DNS
|
||||||
|
|
||||||
To enable the ssh client to verify host keys using DNS, you have to
|
To enable the ssh client to verify host keys using DNS, you have to
|
||||||
add the following option to the ssh configuration file
|
add the following option to the ssh configuration file
|
||||||
@ -49,4 +44,4 @@ the remote host key, the user will be notified.
|
|||||||
Wesley Griffin
|
Wesley Griffin
|
||||||
|
|
||||||
|
|
||||||
$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
|
$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user