SSHFP Resource Record

SSHFP Resource Record (SSHFP for Secure Shell (Key) Fingerprint) is a DNS resource record for SSH keys.

Structure

       <Name> [<TTL>] [<Class>] SSHFP <Algorithm> <Type> <Fingerprint>

<Name>: The domain name of the object to which the resource record belongs (optional)
<TTL>: Time to live (in seconds). Validity of Resource Records (optional)
<Class>: Protocol group to which the resource record belongs (optional)
<Algorithm>: Algorithm of Public_Key (0=reserved, 1=RSA, 2=DSA, 3=ECDSA, 4=Ed25519)
<Type>: Type of fingerprint (0=reserved, 1=SHA-1, 2=SHA-256)
<Fingerprint>: Hexadecimal representation of the hash result

Example

       host.example.com.  SSHFP 2 1 123456789abcdef67890123456789abcdef67890

A client can determine in this example, the host with the DNS name host.example.com a DSA key used with the SHA-1 fingerprint "123456789abcdef67890123456789abcdef67890".

Use with OpenSSH Client

OpenSSH client can check the Fingerprint of the SSH Server and compare to the DNS SSHFP record entry, but it's disabled by default. To force the check, you must use the VerifyHostKeyDNS ask option. You can put on you ~/config file or directly on /etc/ssh/ssh_config file. Example :

       $ ssh -o "VerifyHostKeyDNS ask" host.example.com
       [...]
       Matching host key fingerprint found in DNS.
       Are you sure you want to continue connecting (yes/no)?

Use ssh-keygen command

The ssh-keygen unix command can rapidly and directly generate all entry to insert in your DNS.

       # ssh-keygen -r www.example.com
       www.example.com IN SSHFP 1 1 5f2f2e0676798a0273572bc77b99d6319a560fd5
       www.example.com IN SSHFP 1 2 f5ae7764148c8f587996e5be3324286bdd1e9b935caaf3ff0ed3c9bbc0152097
       www.example.com IN SSHFP 2 1 9b913ce5339f8761c26a2ed755156d4785042b2d
       www.example.com IN SSHFP 2 2 15477282e6a510a6c534e61f1df40d3750edcf86c6f4bf2ab5a964ccada7be3d
       www.example.com IN SSHFP 3 1 1262006f9a45bb36b1aa14f45f354b694b77d7c3
       www.example.com IN SSHFP 3 2 e5921564252fe10d2dbafeb243733ed8b1d165b8fa6d5a0e29198e5793f0623b

Weblinks

RFC 4255 – Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
RFC 6594 – Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records

This article is issued from Wikipedia - version of the 11/6/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.