[BACK]Return to README.dns CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/README.dns, Revision 1.1.4.2

1.1       jakob       1: How to verify host keys using OpenSSH and DNS
                      2: ---------------------------------------------
                      3:
1.1.4.2 ! brad        4: OpenSSH contains support for verifying host keys using DNS as described in
        !             5: draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
        !             6: on how to use this feature. Configuring DNS is out of the scope of this
        !             7: document.
1.1       jakob       8:
                      9:
1.1.4.2 ! brad       10: (1) Server: Generate and publish the DNS RR
1.1       jakob      11:
                     12: To create a DNS resource record (RR) containing a fingerprint of the
                     13: public host key, use the following command:
                     14:
                     15:        ssh-keygen -r hostname -f keyfile -g
                     16:
                     17: where "hostname" is your fully qualified hostname and "keyfile" is the
                     18: file containing the public host key file. If you have multiple keys,
                     19: you should generate one RR for each key.
                     20:
                     21: In the example above, ssh-keygen will print the fingerprint in a
                     22: generic DNS RR format parsable by most modern name server
1.1.4.2 ! brad       23: implementations. If your nameserver has support for the SSHFP RR
        !            24: you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
1.1       jakob      25:
                     26: To publish the fingerprint using the DNS you must add the generated RR
                     27: to your DNS zone file and sign your zone.
                     28:
                     29:
1.1.4.2 ! brad       30: (2) Client: Enable ssh to verify host keys using DNS
1.1       jakob      31:
                     32: To enable the ssh client to verify host keys using DNS, you have to
                     33: add the following option to the ssh configuration file
                     34: ($HOME/.ssh/config or /etc/ssh/ssh_config):
                     35:
                     36:     VerifyHostKeyDNS yes
                     37:
                     38: Upon connection the client will try to look up the fingerprint RR
                     39: using DNS. If the fingerprint received from the DNS server matches
                     40: the remote host key, the user will be notified.
                     41:
                     42:
                     43:        Jakob Schlyter
                     44:        Wesley Griffin
                     45:
                     46:
1.1.4.2 ! brad       47: $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $