src/usr.bin/ssh/README.dns - diff

Return to README.dns CVS log

Up to [local] / src / usr.bin / ssh

version 1.1, 2003/05/14 18:16:20

version 1.1.4.2, 2004/03/04 18:18:14

Line 1

How to verify host keys using OpenSSH and DNS

---------------------------------------------

OpenSSH contains experimental support for verifying host keys using DNS

OpenSSH contains support for verifying host keys using DNS as described in

as described in draft-ietf-secsh-dns-xx.txt. The document contains

draft-ietf-secsh-dns-05.txt. The document contains very brief instructions

very brief instructions on how to test this feature. Configuring DNS

on how to use this feature. Configuring DNS is out of the scope of this

and DNSSEC is out of the scope of this document.

document.

(1) Enable DNS fingerprint support in OpenSSH

(1) Server: Generate and publish the DNS RR

Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing

CFLAGS+= -DDNS

(2) Generate and publish the DNS RR

To create a DNS resource record (RR) containing a fingerprint of the

public host key, use the following command:

Line 27

Line 20

In the example above, ssh-keygen will print the fingerprint in a

generic DNS RR format parsable by most modern name server

implementations. If your nameserver has support for the SSHFP RR, as

implementations. If your nameserver has support for the SSHFP RR

defined by the draft, you can omit the -g flag and ssh-keygen will

you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.

print a standard RR.

To publish the fingerprint using the DNS you must add the generated RR

to your DNS zone file and sign your zone.

(3) Enable the ssh client to verify host keys using DNS

(2) Client: Enable ssh to verify host keys using DNS

To enable the ssh client to verify host keys using DNS, you have to

add the following option to the ssh configuration file