Annotation of src/usr.bin/ssh/README.dns, Revision 1.1.4.2
1.1 jakob 1: How to verify host keys using OpenSSH and DNS
2: ---------------------------------------------
3:
1.1.4.2 ! brad 4: OpenSSH contains support for verifying host keys using DNS as described in
! 5: draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
! 6: on how to use this feature. Configuring DNS is out of the scope of this
! 7: document.
1.1 jakob 8:
9:
1.1.4.2 ! brad 10: (1) Server: Generate and publish the DNS RR
1.1 jakob 11:
12: To create a DNS resource record (RR) containing a fingerprint of the
13: public host key, use the following command:
14:
15: ssh-keygen -r hostname -f keyfile -g
16:
17: where "hostname" is your fully qualified hostname and "keyfile" is the
18: file containing the public host key file. If you have multiple keys,
19: you should generate one RR for each key.
20:
21: In the example above, ssh-keygen will print the fingerprint in a
22: generic DNS RR format parsable by most modern name server
1.1.4.2 ! brad 23: implementations. If your nameserver has support for the SSHFP RR
! 24: you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
1.1 jakob 25:
26: To publish the fingerprint using the DNS you must add the generated RR
27: to your DNS zone file and sign your zone.
28:
29:
1.1.4.2 ! brad 30: (2) Client: Enable ssh to verify host keys using DNS
1.1 jakob 31:
32: To enable the ssh client to verify host keys using DNS, you have to
33: add the following option to the ssh configuration file
34: ($HOME/.ssh/config or /etc/ssh/ssh_config):
35:
36: VerifyHostKeyDNS yes
37:
38: Upon connection the client will try to look up the fingerprint RR
39: using DNS. If the fingerprint received from the DNS server matches
40: the remote host key, the user will be notified.
41:
42:
43: Jakob Schlyter
44: Wesley Griffin
45:
46:
1.1.4.2 ! brad 47: $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $