Annotation of src/usr.bin/ssh/README.dns, Revision 1.1.4.1
1.1 jakob 1: How to verify host keys using OpenSSH and DNS
2: ---------------------------------------------
3:
4: OpenSSH contains experimental support for verifying host keys using DNS
5: as described in draft-ietf-secsh-dns-xx.txt. The document contains
6: very brief instructions on how to test this feature. Configuring DNS
7: and DNSSEC is out of the scope of this document.
8:
9:
10: (1) Enable DNS fingerprint support in OpenSSH
11:
12: Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing
13:
14: CFLAGS+= -DDNS
15:
16:
17: (2) Generate and publish the DNS RR
18:
19: To create a DNS resource record (RR) containing a fingerprint of the
20: public host key, use the following command:
21:
22: ssh-keygen -r hostname -f keyfile -g
23:
24: where "hostname" is your fully qualified hostname and "keyfile" is the
25: file containing the public host key file. If you have multiple keys,
26: you should generate one RR for each key.
27:
28: In the example above, ssh-keygen will print the fingerprint in a
29: generic DNS RR format parsable by most modern name server
30: implementations. If your nameserver has support for the SSHFP RR, as
31: defined by the draft, you can omit the -g flag and ssh-keygen will
32: print a standard RR.
33:
34: To publish the fingerprint using the DNS you must add the generated RR
35: to your DNS zone file and sign your zone.
36:
37:
38: (3) Enable the ssh client to verify host keys using DNS
39:
40: To enable the ssh client to verify host keys using DNS, you have to
41: add the following option to the ssh configuration file
42: ($HOME/.ssh/config or /etc/ssh/ssh_config):
43:
44: VerifyHostKeyDNS yes
45:
46: Upon connection the client will try to look up the fingerprint RR
47: using DNS. If the fingerprint received from the DNS server matches
48: the remote host key, the user will be notified.
49:
50:
51: Jakob Schlyter
52: Wesley Griffin
53:
54:
1.1.4.1 ! brad 55: $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $