SSH Option VerifyHostKeyDNS

By: stajta

November 16, 2006 12:00 am






Every time when a new SSH connection is established, the software asks for the fingerprint of the public key from the server.


This can be automated by a feature of OpenSSH and DNS.

Requirement: min. OpenSSh 3.4 or above
Min. BIND 9.3.0 or above

First you have to generate a server key, if it is not yet made, normally made during installation process.

Or check the key:

#ssh-keygen ?r hostname -f filename


ssh-keygen ?r host ?f /etc/ssh/ssh_host_dsa_key

You need this key in the BIND configuration best made with copy and paste.

The entry should look like:

host.example. IN A IP-Address
IN SSHFP 1 1 123456789abcdef67890123456789abcdef67890
IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890

For testing if DNS answers SSHFP requests:

# dig ?t SSHFP

To make a connection to the server there are two options:

#ssh -o "VerifyHostKeyDNS ask"

The user would be asked: yes or no.

Another option without asking, when the key is correct:

# ssh -o "VerifyHostKeyDNS yes"

The option VerifyHostKeyDNS could be set in the global setting of the configuration file of the ssh_config.

Manual: ssh-keygen(1), ssh(1), ssh_config(5)
First seen in German MISC Magazin

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Categories: Uncategorized

Disclaimer: As with everything else in the SUSE Blog, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.