From lathama
Jump to: navigation, search

Use DNS SSHFP Resource Record

Confirming a host in normal SSH prompts the user if the host is unknown. Many users just accept the connection by typing "yes" and the host is saved in the known_hosts file. You can validate against DNS with which is fast and fun.

Example Setup

To the bottom of the OpenSSH Client config at /etc/ssh/ssh_config add the following

VerifyHostKeyDNS yes

On the target host that you want to trust the hostkeys run

$ ssh-keygen -r IN SSHFP 1 1 d6e3140f7bd5bcc1818033f36d099e1d816e3028 IN SSHFP 1 2 1b176aa089c687e522a8910537633ceb14ccffbc867941df327c480f0fa42e13 IN SSHFP 3 1 a800d2366f21b4debb46cd5adc9d21c5ee18df2a IN SSHFP 3 2 9b4cc3d674d39d694e9f6fd87f726674542cc2f9af58f9066e837476493dc689 IN SSHFP 4 1 d0beecedb5eae665495320260360597267375f6c IN SSHFP 4 2 020f5a2a45d8fd25ff52dbde87c0360437ed3c3a899c09fd319a6a3d9f9dddad

Add these records to DNS for the domain/host you wish to have SSH host keys trusted. Validate the DNS with dig.

$ dig +short SSHFP
1 1 D6E3140F7BD5BCC1818033F36D099E1D816E3028
1 2 1B176AA089C687E522A8910537633CEB14CCFFBC867941DF327C480F 0FA42E13
3 1 A800D2366F21B4DEBB46CD5ADC9D21C5EE18DF2A
3 2 9B4CC3D674D39D694E9F6FD87F726674542CC2F9AF58F9066E837476 493DC689
4 1 D0BEECEDB5EAE665495320260360597267375F6C
4 2 020F5A2A45D8FD25FF52DBDE87C0360437ED3C3A899C09FD319A6A3D 9F9DDDAD

Then remove any existing trusts via the ssh-keygen tool.

$ ssh-keygen -R

Everything should be working so now time to test.

$ ssh "uptime"
17:04:51 up 6 days, 18:56,  1 user,  load average: 0.00, 0.00, 0.00

To double check that try again.

$ ssh-keygen -R
Host not found in /home/lathama/.ssh/known_hosts
$ ssh "uptime"
17:04:51 up 6 days, 18:56,  1 user,  load average: 0.00, 0.00, 0.00

Sponsorship and Advertising space here. Please contact me if interested.