I recently learnt (Thanks Jacomo!) that public parts of ssh host keys can be put in the DNS system, using SSHFP record.
Here are a few notes on this topic.
Having ssh-keygen propose SSHFP record content
ssh-keygen -r hostname [-f public-key-file] proposes a complete zone file line for hostname:
Unfortunately, ssh-keygen -r is usually one algorithm behind ssh-keygen, therefore we usually use the openssl method shown in the next paragraph.
Manual extraction of SSHFP records contents from /etc/ssh/ssh_host_*_key.pub
To generate the values for the SSHFP records of a host, use these commands:
Telling ssh to respect SSHFP records
~/.ssh/config or with -o set the VerifyHostKeyDNS option to
- yes: trust keys that match the SSHDS record
- ask: check the SSHDS record and display the result, but still ask whether the key is to be trusted
- no (default): do not check SSHDS records at all
Depending on the value of
StrictHostKeyChecking untrusted keys are refused (yes), asked (ask), or accepted with a fat warning (no).
To retrieve SSHFP records "raw", dig it:
OpenSSH Options to use SSHFP records
To turn on SSHFP activities,
VerifyHostKeyDNS must be set to
Due to a lack of trust into the DNS system, and propably to avoid parsing OS-specifics like
resolv.conf, up until recently one had to use full canonical hostname for the SSHFP check to match. The following paragraph describes the solution introduced with OpenSSH 6.5.
OpenSSH 6.5 to allow using non-canonical hostnames
From OpenSSH 6.5 on (Debian: wheezy-backports) it's possible to enable canonicalization by the ssh client.
Here is a list of the
Canonical* options of OpenSSH 6.5, with default values leading the paragraphs and my example values afterwords:
This approach should only be used if the nameservers can be trusted, i.e. you only use your own well-managed DNSes or the domains are protected by DNSSEC.
- How-To from Frillip's BLog: https://frillip.com/blog/2012/03/howto-dns-sshfp-records-and-ssh-fingerprints/
- RFCs: RFC4255 introduced SSHFP, RFC6594 added support for ECDSA keys
- German Wikipedia entry on SSHFP records