1124208SdesHow to verify host keys using OpenSSH and DNS 2124208Sdes--------------------------------------------- 3124208Sdes 4126274SdesOpenSSH contains support for verifying host keys using DNS as described in 5126274Sdesdraft-ietf-secsh-dns-05.txt. The document contains very brief instructions 6126274Sdeson how to use this feature. Configuring DNS is out of the scope of this 7126274Sdesdocument. 8124208Sdes 9124208Sdes 10126274Sdes(1) Server: Generate and publish the DNS RR 11124208Sdes 12124208SdesTo create a DNS resource record (RR) containing a fingerprint of the 13124208Sdespublic host key, use the following command: 14124208Sdes 15124208Sdes ssh-keygen -r hostname -f keyfile -g 16124208Sdes 17124208Sdeswhere "hostname" is your fully qualified hostname and "keyfile" is the 18124208Sdesfile containing the public host key file. If you have multiple keys, 19124208Sdesyou should generate one RR for each key. 20124208Sdes 21124208SdesIn the example above, ssh-keygen will print the fingerprint in a 22124208Sdesgeneric DNS RR format parsable by most modern name server 23126274Sdesimplementations. If your nameserver has support for the SSHFP RR 24126274Sdesyou can omit the -g flag and ssh-keygen will print a standard SSHFP RR. 25124208Sdes 26124208SdesTo publish the fingerprint using the DNS you must add the generated RR 27124208Sdesto your DNS zone file and sign your zone. 28124208Sdes 29124208Sdes 30126274Sdes(2) Client: Enable ssh to verify host keys using DNS 31124208Sdes 32124208SdesTo enable the ssh client to verify host keys using DNS, you have to 33124208Sdesadd the following option to the ssh configuration file 34124208Sdes($HOME/.ssh/config or /etc/ssh/ssh_config): 35124208Sdes 36124208Sdes VerifyHostKeyDNS yes 37124208Sdes 38124208SdesUpon connection the client will try to look up the fingerprint RR 39124208Sdesusing DNS. If the fingerprint received from the DNS server matches 40124208Sdesthe remote host key, the user will be notified. 41124208Sdes 42124208Sdes 43124208Sdes Jakob Schlyter 44124208Sdes Wesley Griffin 45124208Sdes 46124208Sdes 47126274Sdes$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ 48