SUSE Conversations


SSH Option VerifyHostKeyDNS



By: stajta

November 16, 2006 12:00 am

Reads:97

Comments:0

Rating:0

Problem:

Every time when a new SSH connection is established, the software asks for the fingerprint of the public key from the server.

Solution:

This can be automated by a feature of OpenSSH and DNS.

Requirement: min. OpenSSh 3.4 or above
Min. BIND 9.3.0 or above

First you have to generate a server key, if it is not yet made, normally made during installation process.

Or check the key:

#ssh-keygen ?r hostname -f filename

Example:

ssh-keygen ?r host ?f /etc/ssh/ssh_host_dsa_key

You need this key in the BIND configuration best made with copy and paste.

The entry should look like:

host.example. IN A IP-Address
IN SSHFP 1 1 123456789abcdef67890123456789abcdef67890
IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890

For testing if DNS answers SSHFP requests:

# dig ?t SSHFP host.example.com

To make a connection to the server there are two options:

#ssh -o "VerifyHostKeyDNS ask" host.example.com

The user would be asked: yes or no.

Another option without asking, when the key is correct:

# ssh -o "VerifyHostKeyDNS yes" host.example.com

The option VerifyHostKeyDNS could be set in the global setting of the configuration file of the ssh_config.

Source:
Manual: ssh-keygen(1), ssh(1), ssh_config(5)
First seen in German MISC Magazin http://www.miscmag.com/
http://www.ietf.org/rfc/rfc4255.txt

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS