SSH Option VerifyHostKeyDNS



Every time when a new SSH connection is established, the software asks for the fingerprint of the public key from the server.


This can be automated by a feature of OpenSSH and DNS.

Requirement: min. OpenSSh 3.4 or above
Min. BIND 9.3.0 or above

First you have to generate a server key, if it is not yet made, normally made during installation process.

Or check the key:

#ssh-keygen ?r hostname -f filename


ssh-keygen ?r host ?f /etc/ssh/ssh_host_dsa_key

You need this key in the BIND configuration best made with copy and paste.

The entry should look like:

host.example. IN A IP-Address
IN SSHFP 1 1 123456789abcdef67890123456789abcdef67890
IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890

For testing if DNS answers SSHFP requests:

# dig ?t SSHFP

To make a connection to the server there are two options:

#ssh -o "VerifyHostKeyDNS ask"

The user would be asked: yes or no.

Another option without asking, when the key is correct:

# ssh -o "VerifyHostKeyDNS yes"

The option VerifyHostKeyDNS could be set in the global setting of the configuration file of the ssh_config.

Manual: ssh-keygen(1), ssh(1), ssh_config(5)
First seen in German MISC Magazin

(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet