Damien Miller | 37876e9 | 2003-05-15 10:19:46 +1000 | [diff] [blame] | 1 | How to verify host keys using OpenSSH and DNS |
| 2 | --------------------------------------------- |
| 3 | |
| 4 | OpenSSH contains experimental support for verifying host keys using DNS |
| 5 | as described in draft-ietf-secsh-dns-xx.txt. The document contains |
| 6 | very brief instructions on how to test this feature. Configuring DNS |
| 7 | and DNSSEC is out of the scope of this document. |
| 8 | |
| 9 | |
| 10 | (1) Enable DNS fingerprint support in OpenSSH |
| 11 | |
Damien Miller | 5975cf1 | 2003-05-15 13:23:36 +1000 | [diff] [blame] | 12 | configure --with-dns |
Damien Miller | 37876e9 | 2003-05-15 10:19:46 +1000 | [diff] [blame] | 13 | |
| 14 | (2) Generate and publish the DNS RR |
| 15 | |
| 16 | To create a DNS resource record (RR) containing a fingerprint of the |
| 17 | public host key, use the following command: |
| 18 | |
| 19 | ssh-keygen -r hostname -f keyfile -g |
| 20 | |
| 21 | where "hostname" is your fully qualified hostname and "keyfile" is the |
| 22 | file containing the public host key file. If you have multiple keys, |
| 23 | you should generate one RR for each key. |
| 24 | |
| 25 | In the example above, ssh-keygen will print the fingerprint in a |
| 26 | generic DNS RR format parsable by most modern name server |
| 27 | implementations. If your nameserver has support for the SSHFP RR, as |
| 28 | defined by the draft, you can omit the -g flag and ssh-keygen will |
| 29 | print a standard RR. |
| 30 | |
| 31 | To publish the fingerprint using the DNS you must add the generated RR |
| 32 | to your DNS zone file and sign your zone. |
| 33 | |
| 34 | |
| 35 | (3) Enable the ssh client to verify host keys using DNS |
| 36 | |
| 37 | To enable the ssh client to verify host keys using DNS, you have to |
| 38 | add the following option to the ssh configuration file |
| 39 | ($HOME/.ssh/config or /etc/ssh/ssh_config): |
| 40 | |
| 41 | VerifyHostKeyDNS yes |
| 42 | |
| 43 | Upon connection the client will try to look up the fingerprint RR |
| 44 | using DNS. If the fingerprint received from the DNS server matches |
| 45 | the remote host key, the user will be notified. |
| 46 | |
| 47 | |
| 48 | Jakob Schlyter |
| 49 | Wesley Griffin |
| 50 | |
| 51 | |
| 52 | $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ |