version 1.1.6.1, 2003/09/16 21:20:23 |
version 1.2, 2003/10/14 19:43:23 |
|
|
How to verify host keys using OpenSSH and DNS |
How to verify host keys using OpenSSH and DNS |
--------------------------------------------- |
--------------------------------------------- |
|
|
OpenSSH contains experimental support for verifying host keys using DNS |
OpenSSH contains support for verifying host keys using DNS as described in |
as described in draft-ietf-secsh-dns-xx.txt. The document contains |
draft-ietf-secsh-dns-05.txt. The document contains very brief instructions |
very brief instructions on how to test this feature. Configuring DNS |
on how to use this feature. Configuring DNS is out of the scope of this |
and DNSSEC is out of the scope of this document. |
document. |
|
|
|
|
(1) Enable DNS fingerprint support in OpenSSH |
(1) Server: Generate and publish the DNS RR |
|
|
Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing |
|
|
|
CFLAGS+= -DDNS |
|
|
|
|
|
(2) Generate and publish the DNS RR |
|
|
|
To create a DNS resource record (RR) containing a fingerprint of the |
To create a DNS resource record (RR) containing a fingerprint of the |
public host key, use the following command: |
public host key, use the following command: |
|
|
|
|
|
|
In the example above, ssh-keygen will print the fingerprint in a |
In the example above, ssh-keygen will print the fingerprint in a |
generic DNS RR format parsable by most modern name server |
generic DNS RR format parsable by most modern name server |
implementations. If your nameserver has support for the SSHFP RR, as |
implementations. If your nameserver has support for the SSHFP RR |
defined by the draft, you can omit the -g flag and ssh-keygen will |
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR. |
print a standard RR. |
|
|
|
To publish the fingerprint using the DNS you must add the generated RR |
To publish the fingerprint using the DNS you must add the generated RR |
to your DNS zone file and sign your zone. |
to your DNS zone file and sign your zone. |
|
|
|
|
(3) Enable the ssh client to verify host keys using DNS |
(2) Client: Enable ssh to verify host keys using DNS |
|
|
To enable the ssh client to verify host keys using DNS, you have to |
To enable the ssh client to verify host keys using DNS, you have to |
add the following option to the ssh configuration file |
add the following option to the ssh configuration file |