[README.dns]
     update

Resynced with OpenBSD too: DNSFP support is now always compiled in
so the configure support (and documentation thereof) can go away.
This commit is contained in:
Darren Tucker 2003-10-15 16:07:53 +10:00
parent dda19d63ff
commit 64b77bcb4b
2 changed files with 13 additions and 15 deletions

View File

@ -33,6 +33,9 @@
- jakob@cvs.openbsd.org 2003/10/14 19:42:10 - jakob@cvs.openbsd.org 2003/10/14 19:42:10
[dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
include SSHFP lookup code (not enabled by default). ok markus@ include SSHFP lookup code (not enabled by default). ok markus@
- jakob@cvs.openbsd.org 2003/10/14 19:43:23
[README.dns]
update
20031009 20031009
- (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@
@ -1350,4 +1353,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.3077 2003/10/15 06:00:47 dtucker Exp $ $Id: ChangeLog,v 1.3078 2003/10/15 06:07:53 dtucker Exp $

View File

@ -1,17 +1,13 @@
How to verify host keys using OpenSSH and DNS How to verify host keys using OpenSSH and DNS
--------------------------------------------- ---------------------------------------------
OpenSSH contains experimental support for verifying host keys using DNS OpenSSH contains support for verifying host keys using DNS as described in
as described in draft-ietf-secsh-dns-xx.txt. The document contains draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
very brief instructions on how to test this feature. Configuring DNS on how to use this feature. Configuring DNS is out of the scope of this
and DNSSEC is out of the scope of this document. document.
(1) Enable DNS fingerprint support in OpenSSH (1) Server: Generate and publish the DNS RR
configure --with-dns
(2) Generate and publish the DNS RR
To create a DNS resource record (RR) containing a fingerprint of the To create a DNS resource record (RR) containing a fingerprint of the
public host key, use the following command: public host key, use the following command:
@ -24,15 +20,14 @@ you should generate one RR for each key.
In the example above, ssh-keygen will print the fingerprint in a In the example above, ssh-keygen will print the fingerprint in a
generic DNS RR format parsable by most modern name server generic DNS RR format parsable by most modern name server
implementations. If your nameserver has support for the SSHFP RR, as implementations. If your nameserver has support for the SSHFP RR
defined by the draft, you can omit the -g flag and ssh-keygen will you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
print a standard RR.
To publish the fingerprint using the DNS you must add the generated RR To publish the fingerprint using the DNS you must add the generated RR
to your DNS zone file and sign your zone. to your DNS zone file and sign your zone.
(3) Enable the ssh client to verify host keys using DNS (2) Client: Enable ssh to verify host keys using DNS
To enable the ssh client to verify host keys using DNS, you have to To enable the ssh client to verify host keys using DNS, you have to
add the following option to the ssh configuration file add the following option to the ssh configuration file
@ -49,4 +44,4 @@ the remote host key, the user will be notified.
Wesley Griffin Wesley Griffin
$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $