| How to verify host keys using OpenSSH and DNS |
| --------------------------------------------- |
| |
| OpenSSH contains experimental support for verifying host keys using DNS |
| as described in draft-ietf-secsh-dns-xx.txt. The document contains |
| very brief instructions on how to test this feature. Configuring DNS |
| and DNSSEC is out of the scope of this document. |
| |
| |
| (1) Enable DNS fingerprint support in OpenSSH |
| |
| Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing |
| |
| CFLAGS+= -DDNS |
| |
| |
| (2) Generate and publish the DNS RR |
| |
| To create a DNS resource record (RR) containing a fingerprint of the |
| public host key, use the following command: |
| |
| ssh-keygen -r hostname -f keyfile -g |
| |
| where "hostname" is your fully qualified hostname and "keyfile" is the |
| file containing the public host key file. If you have multiple keys, |
| you should generate one RR for each key. |
| |
| In the example above, ssh-keygen will print the fingerprint in a |
| generic DNS RR format parsable by most modern name server |
| implementations. If your nameserver has support for the SSHFP RR, as |
| defined by the draft, you can omit the -g flag and ssh-keygen will |
| print a standard RR. |
| |
| To publish the fingerprint using the DNS you must add the generated RR |
| to your DNS zone file and sign your zone. |
| |
| |
| (3) Enable the ssh client to verify host keys using DNS |
| |
| To enable the ssh client to verify host keys using DNS, you have to |
| add the following option to the ssh configuration file |
| ($HOME/.ssh/config or /etc/ssh/ssh_config): |
| |
| VerifyHostKeyDNS yes |
| |
| Upon connection the client will try to look up the fingerprint RR |
| using DNS. If the fingerprint received from the DNS server matches |
| the remote host key, the user will be notified. |
| |
| |
| Jakob Schlyter |
| Wesley Griffin |
| |
| |
| $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ |