| version 1.251, 2006/01/20 00:14:55 |
version 1.252, 2006/01/26 08:47:56 |
|
|
| option can be used to control logins to machines whose |
option can be used to control logins to machines whose |
| host key is not known or has changed. |
host key is not known or has changed. |
| .Pp |
.Pp |
| .Nm |
|
| can be configured to verify host identification using fingerprint resource |
|
| records (SSHFP) published in DNS. |
|
| The |
|
| .Cm VerifyHostKeyDNS |
|
| option can be used to control how DNS lookups are performed. |
|
| SSHFP resource records can be generated using |
|
| .Xr ssh-keygen 1 . |
|
| .Pp |
|
| When the user's identity has been accepted by the server, the server |
When the user's identity has been accepted by the server, the server |
| either executes the given command, or logs into the machine and gives |
either executes the given command, or logs into the machine and gives |
| the user a normal shell on the remote machine. |
the user a normal shell on the remote machine. |
|
|
| options above) and |
options above) and |
| the user is using an authentication agent, the connection to the agent |
the user is using an authentication agent, the connection to the agent |
| is automatically forwarded to the remote side. |
is automatically forwarded to the remote side. |
| |
.Sh VERIFYING HOST KEYS |
| |
When connecting to a server for the first time, |
| |
a fingerprint of the server's public key is presented to the user |
| |
(unless the option |
| |
.Cm StrictHostKeyChecking |
| |
has been disabled). |
| |
Fingerprints can be determined using |
| |
.Xr ssh-keygen 1 : |
| |
.Pp |
| |
.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key |
| |
.Pp |
| |
If the fingerprint is already known, |
| |
it can be matched and verified, |
| |
and the key can be accepted. |
| |
If the fingerprint is unknown, |
| |
an alternative method of verification is available: |
| |
SSH fingerprints verified by DNS. |
| |
An additional resource record (RR), |
| |
SSHFP, |
| |
is added to a zonefile |
| |
and the connecting client is able to match the fingerprint |
| |
with that of the key presented. |
| |
.Pp |
| |
In this example, we are connecting a client to a server, |
| |
.Dq host.example.com . |
| |
The SSHFP resource records should first be added to the zonefile for |
| |
host.example.com: |
| |
.Bd -literal -offset indent |
| |
$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com. |
| |
$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com. |
| |
.Ed |
| |
.Pp |
| |
The output lines will have to be added to the zonefile. |
| |
To check that the zone is answering fingerprint queries: |
| |
.Pp |
| |
.Dl $ dig -t SSHFP host.example.com |
| |
.Pp |
| |
Finally the client connects: |
| |
.Bd -literal -offset indent |
| |
$ ssh -o "VerifyHostKeyDNS ask" host.example.com |
| |
[...] |
| |
Matching host key fingerprint found in DNS. |
| |
Are you sure you want to continue connecting (yes/no)? |
| |
.Ed |
| |
.Pp |
| |
See the |
| |
.Cm VerifyHostKeyDNS |
| |
option in |
| |
.Xr ssh_config 5 |
| |
for more information. |
| .Sh SSH-BASED VIRTUAL PRIVATE NETWORKS |
.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS |
| .Nm |
.Nm |
| contains support for Virtual Private Network (VPN) tunnelling |
contains support for Virtual Private Network (VPN) tunnelling |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh