SSH Option VerifyHostKeyDNS
Every time when a new SSH connection is established, the software asks for the fingerprint of the public key from the server.
This can be automated by a feature of OpenSSH and DNS.
Requirement: min. OpenSSh 3.4 or above Min. BIND 9.3.0 or above
First you have to generate a server key, if it is not yet made, normally made during installation process.
Or check the key:
#ssh-keygen ?r hostname -f filename
ssh-keygen ?r host ?f /etc/ssh/ssh_host_dsa_key
You need this key in the BIND configuration best made with copy and paste.
The entry should look like:
host.example. IN A IP-Address IN SSHFP 1 1 123456789abcdef67890123456789abcdef67890 IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890
For testing if DNS answers SSHFP requests:
# dig ?t SSHFP host.example.com
To make a connection to the server there are two options:
#ssh -o "VerifyHostKeyDNS ask" host.example.com
The user would be asked: yes or no.
Another option without asking, when the key is correct:
# ssh -o "VerifyHostKeyDNS yes" host.example.com
The option VerifyHostKeyDNS could be set in the global setting of the configuration file of the ssh_config.