blob: e24092e03d1c4c0d934122435527b0ffa8c25004 [file] [log] [blame]
Damien Miller37876e92003-05-15 10:19:46 +10001How to verify host keys using OpenSSH and DNS
2---------------------------------------------
3
4OpenSSH contains experimental support for verifying host keys using DNS
5as described in draft-ietf-secsh-dns-xx.txt. The document contains
6very brief instructions on how to test this feature. Configuring DNS
7and DNSSEC is out of the scope of this document.
8
9
10(1) Enable DNS fingerprint support in OpenSSH
11
Damien Miller5975cf12003-05-15 13:23:36 +100012 configure --with-dns
Damien Miller37876e92003-05-15 10:19:46 +100013
14(2) Generate and publish the DNS RR
15
16To create a DNS resource record (RR) containing a fingerprint of the
17public host key, use the following command:
18
19 ssh-keygen -r hostname -f keyfile -g
20
21where "hostname" is your fully qualified hostname and "keyfile" is the
22file containing the public host key file. If you have multiple keys,
23you should generate one RR for each key.
24
25In the example above, ssh-keygen will print the fingerprint in a
26generic DNS RR format parsable by most modern name server
27implementations. If your nameserver has support for the SSHFP RR, as
28defined by the draft, you can omit the -g flag and ssh-keygen will
29print a standard RR.
30
31To publish the fingerprint using the DNS you must add the generated RR
32to your DNS zone file and sign your zone.
33
34
35(3) Enable the ssh client to verify host keys using DNS
36
37To enable the ssh client to verify host keys using DNS, you have to
38add the following option to the ssh configuration file
39($HOME/.ssh/config or /etc/ssh/ssh_config):
40
41 VerifyHostKeyDNS yes
42
43Upon connection the client will try to look up the fingerprint RR
44using DNS. If the fingerprint received from the DNS server matches
45the remote host key, the user will be notified.
46
47
48 Jakob Schlyter
49 Wesley Griffin
50
51
52$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $