Check out my first novel, midnight's simulacra!
SSHFP: Difference between revisions
From dankwiki
m (1 revision) |
No edit summary |
||
Line 59: | Line 59: | ||
} | } | ||
printf(":%s:44:%s:\n", $host, $out);</pre> | printf(":%s:44:%s:\n", $host, $out);</pre> | ||
[[CATEGORY: Networking]] |
Revision as of 02:24, 20 May 2011
SSHFP records allow SSH host keys (see RFC 4253) to be published via the Domain Name Service. An interesting benefit is that, should SSHFP lookup be the only allowed method of authenticating a host key, keys can be revoked by removing them from DNS. They are defined in RFC 4255. It is resource record (RR) type 44 (0x2C).
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | algorithm | fp type | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / / fingerprint / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Algorithm: 1 for RSA, 2 for DSS
- Fingerprint Type: 1 for SHA-1
SSHFP records can be looked up via dig -t sshfp:
[hoare](0) $ dig +short -t sshfp svn.research.sys 1 1 CC96EE17FF88BB18AC8994342AE2B24185BA1B26 [hoare](0) $
On FreeBSD, the dns/sshfp port supplies sshfp; Debian added the sshfp package 2008-07-13. This tool generates SSHFP output from ssh-keyscan or KnownHosts files:
[prometheus](0) $ /usr/local/bin/sshfp ctapd03.research.sys ctapd03.research.sys IN SSHFP 1 1 443e23a036005c581f4f3e2e5a7949091d7318cd ctapd03.research.sys IN SSHFP 2 1 86b505f00cb65359f6e377758b92359fc6dbd49b [prometheus](0) $ /usr/local/bin/sshfp [207.59.224.206]:7710. IN SSHFP 2 1 9eee5ceda25f86d4d9bf7f8569e576c56b69b9fc hoare.research.sys. IN SSHFP 1 1 cc96ee17ff88bb18ac8994342ae2b24185ba1b26 localhost IN SSHFP 1 1 46c7cec5dde1fa5647591fd8636087508defea91 providence.scur. IN SSHFP 1 1 cc96ee17ff88bb18ac8994342ae2b24185ba1b26 qemfd IN SSHFP 1 1 2626a74a1c42c15ad31da0ee187992606ce135e0 qemfd.net. IN SSHFP 1 1 2626a74a1c42c15ad31da0ee187992606ce135e0 svn.research.sys. IN SSHFP 1 1 cc96ee17ff88bb18ac8994342ae2b24185ba1b26 [prometheus](0) $
Use with OpenSSH
- Set "VerifyHostKeyDNS yes" in your SSH config file or on the command line with -OVerifyHostKeyDNS=yes to automatically trust hosts matching a secure fingerprint in DNS. Set it to "ask" to display the fingerprint, and apply the StrictHostKeyChecking -- this will be used for insecure fingerprints, even if VerifyHostKeyDNS has been set to "yes". With "no", SSHFP records will not be consulted.
- To extract an SSHFP fingerprint for keys in your KnownHosts file, use ssh-keygen -r HostNameAlias:
[recombinator](0) $ ssh-keygen -r qemfd.net qemfd.net IN SSHFP 1 1 2626a74a1c42c15ad31da0ee187992606ce135e0 qemfd.net IN SSHFP 2 1 4193db02ecc3acd85f9abbaf71c8945ebe7f6067 [recombinator](0) $
Use with djbdns
- Use the generic record format, :fqdn:n:rdata:ttl:timestamp:lo (see http://cr.yp.to/djbdns/tinydns-data.html)
- Sample zone data file entry:
:qemfd.net:44:\001\001\046\046\247\112\034\102\301\132\323\035\240\356\030\171\222\140\154\341\065\340:
- The following perl script (courtesy of Henning Brauer) will write a djbdns record for the RSA key at /etc/ssh/ssh_host_rsa_key.pub (it should be trivial to use ssh-keyscan, instead) to stdout (invoke with the desired FQDN as the single argument):
#!/usr/bin/perl use strict; open IN, "ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r $ARGV[0] |"; my $FP = <IN>; close IN; chop $FP; my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $FP; my $out = sprintf("\\%03o\\%03o", $alg, $fptype); for (my $i = 0; $i < length($fp); $i += 2) { $out .= sprintf("\\%03o", hex substr($fp, $i, 2)); } printf(":%s:44:%s:\n", $host, $out);