blob: 97879183e396059b88f675246ac47e0144f772ca [file] [log] [blame]
Damien Miller37876e92003-05-15 10:19:46 +10001How to verify host keys using OpenSSH and DNS
2---------------------------------------------
3
Darren Tucker64b77bc2003-10-15 16:07:53 +10004OpenSSH contains support for verifying host keys using DNS as described in
5draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
6on how to use this feature. Configuring DNS is out of the scope of this
7document.
Damien Miller37876e92003-05-15 10:19:46 +10008
9
Darren Tucker64b77bc2003-10-15 16:07:53 +100010(1) Server: Generate and publish the DNS RR
Damien Miller37876e92003-05-15 10:19:46 +100011
12To create a DNS resource record (RR) containing a fingerprint of the
13public host key, use the following command:
14
15 ssh-keygen -r hostname -f keyfile -g
16
17where "hostname" is your fully qualified hostname and "keyfile" is the
18file containing the public host key file. If you have multiple keys,
19you should generate one RR for each key.
20
21In the example above, ssh-keygen will print the fingerprint in a
22generic DNS RR format parsable by most modern name server
Darren Tucker64b77bc2003-10-15 16:07:53 +100023implementations. If your nameserver has support for the SSHFP RR
24you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
Damien Miller37876e92003-05-15 10:19:46 +100025
26To publish the fingerprint using the DNS you must add the generated RR
27to your DNS zone file and sign your zone.
28
29
Darren Tucker64b77bc2003-10-15 16:07:53 +100030(2) Client: Enable ssh to verify host keys using DNS
Damien Miller37876e92003-05-15 10:19:46 +100031
32To enable the ssh client to verify host keys using DNS, you have to
33add the following option to the ssh configuration file
34($HOME/.ssh/config or /etc/ssh/ssh_config):
35
36 VerifyHostKeyDNS yes
37
38Upon connection the client will try to look up the fingerprint RR
39using DNS. If the fingerprint received from the DNS server matches
40the remote host key, the user will be notified.
41
42
43 Jakob Schlyter
44 Wesley Griffin
45
46
Darren Tucker64b77bc2003-10-15 16:07:53 +100047$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $