SSHFP

From dankwiki
Jump to: navigation, search

SSHFP records allow SSH host keys (see RFC 4253) to be published via the Domain Name Service. An interesting benefit is that, should SSHFP lookup be the only allowed method of authenticating a host key, keys can be revoked by removing them from DNS. They are defined in RFC 4255. It is resource record (RR) type 44 (0x2C).

       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |   algorithm   |    fp type    |                               /
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               /
       /                                                               /
       /                          fingerprint                          /
       /                                                               /
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  • Algorithm: 1 for RSA, 2 for DSS
  • Fingerprint Type: 1 for SHA-1

SSHFP records can be looked up via dig -t sshfp:

[hoare](0) $ dig +short -t sshfp svn.research.sys
1 1 CC96EE17FF88BB18AC8994342AE2B24185BA1B26
[hoare](0) $

On FreeBSD, the dns/sshfp port supplies sshfp; Debian added the sshfp package 2008-07-13. This tool generates SSHFP output from ssh-keyscan or KnownHosts files:

[prometheus](0) $ /usr/local/bin/sshfp ctapd03.research.sys
ctapd03.research.sys IN SSHFP 1 1 443e23a036005c581f4f3e2e5a7949091d7318cd
ctapd03.research.sys IN SSHFP 2 1 86b505f00cb65359f6e377758b92359fc6dbd49b
[prometheus](0) $ /usr/local/bin/sshfp
[207.59.224.206]:7710. IN SSHFP 2 1 9eee5ceda25f86d4d9bf7f8569e576c56b69b9fc
hoare.research.sys. IN SSHFP 1 1 cc96ee17ff88bb18ac8994342ae2b24185ba1b26
localhost IN SSHFP 1 1 46c7cec5dde1fa5647591fd8636087508defea91
providence.scur. IN SSHFP 1 1 cc96ee17ff88bb18ac8994342ae2b24185ba1b26
qemfd IN SSHFP 1 1 2626a74a1c42c15ad31da0ee187992606ce135e0
qemfd.net. IN SSHFP 1 1 2626a74a1c42c15ad31da0ee187992606ce135e0
svn.research.sys. IN SSHFP 1 1 cc96ee17ff88bb18ac8994342ae2b24185ba1b26
[prometheus](0) $ 

Use with OpenSSH

  • Set "VerifyHostKeyDNS yes" in your SSH config file or on the command line with -OVerifyHostKeyDNS=yes to automatically trust hosts matching a secure fingerprint in DNS. Set it to "ask" to display the fingerprint, and apply the StrictHostKeyChecking -- this will be used for insecure fingerprints, even if VerifyHostKeyDNS has been set to "yes". With "no", SSHFP records will not be consulted.
  • To extract an SSHFP fingerprint for keys in your KnownHosts file, use ssh-keygen -r HostNameAlias:
[recombinator](0) $ ssh-keygen -r qemfd.net
qemfd.net IN SSHFP 1 1 2626a74a1c42c15ad31da0ee187992606ce135e0
qemfd.net IN SSHFP 2 1 4193db02ecc3acd85f9abbaf71c8945ebe7f6067
[recombinator](0) $

Use with djbdns

:qemfd.net:44:\001\001\046\046\247\112\034\102\301\132\323\035\240\356\030\171\222\140\154\341\065\340:
  • The following perl script (courtesy of Henning Brauer) will write a djbdns record for the RSA key at /etc/ssh/ssh_host_rsa_key.pub (it should be trivial to use ssh-keyscan, instead) to stdout (invoke with the desired FQDN as the single argument):
#!/usr/bin/perl

use strict;

open IN, "ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r $ARGV[0] |";
my $FP = <IN>;
close IN;
chop $FP;
my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $FP;
my $out = sprintf("\\%03o\\%03o", $alg, $fptype);
for (my $i = 0; $i < length($fp); $i += 2) {
	$out .= sprintf("\\%03o", hex substr($fp, $i, 2));
}
printf(":%s:44:%s:\n", $host, $out);