Return to README.dns CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/README.dns, Revision 1.1.6.1

1.1       jakob       1: How to verify host keys using OpenSSH and DNS
                      2: ---------------------------------------------
                      3:
                      4: OpenSSH contains experimental support for verifying host keys using DNS
                      5: as described in draft-ietf-secsh-dns-xx.txt. The document contains
                      6: very brief instructions on how to test this feature. Configuring DNS
                      7: and DNSSEC is out of the scope of this document.
                      8:
                      9:
                     10: (1) Enable DNS fingerprint support in OpenSSH
                     11:
                     12: Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing
                     13:
                     14:        CFLAGS+= -DDNS
                     15:
                     16:
                     17: (2) Generate and publish the DNS RR
                     18:
                     19: To create a DNS resource record (RR) containing a fingerprint of the
                     20: public host key, use the following command:
                     21:
                     22:        ssh-keygen -r hostname -f keyfile -g
                     23:
                     24: where "hostname" is your fully qualified hostname and "keyfile" is the
                     25: file containing the public host key file. If you have multiple keys,
                     26: you should generate one RR for each key.
                     27:
                     28: In the example above, ssh-keygen will print the fingerprint in a
                     29: generic DNS RR format parsable by most modern name server
                     30: implementations. If your nameserver has support for the SSHFP RR, as
                     31: defined by the draft, you can omit the -g flag and ssh-keygen will
                     32: print a standard RR.
                     33:
                     34: To publish the fingerprint using the DNS you must add the generated RR
                     35: to your DNS zone file and sign your zone.
                     36:
                     37:
                     38: (3) Enable the ssh client to verify host keys using DNS
                     39:
                     40: To enable the ssh client to verify host keys using DNS, you have to
                     41: add the following option to the ssh configuration file
                     42: ($HOME/.ssh/config or /etc/ssh/ssh_config):
                     43:
                     44:     VerifyHostKeyDNS yes
                     45:
                     46: Upon connection the client will try to look up the fingerprint RR
                     47: using DNS. If the fingerprint received from the DNS server matches
                     48: the remote host key, the user will be notified.
                     49:
                     50:
                     51:        Jakob Schlyter
                     52:        Wesley Griffin
                     53:
                     54:
1.1.6.1 ! brad       55: $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $