[ale] Using SSHFP resource records
Stephen Cristol
stephen at bee.net
Sun Sep 14 13:17:31 EDT 2008
Can anyone provide guidance in setting up SSHFP resource records?
This seemed like a simple thing to do, but I can't get it to work.
I'm experimenting with two CentOS 5.2 boxes ("server", "local");
"server" has the BIND 9.3.4 name server running.
[server]$ cd /etc/ssh
[server]$ ssh-keygen -r server.home.lan -f ssh_host_rsa_key.pub
server.home.lan IN SSHFP 1 1 7d039453c6a636b2f00506b72f402b777ac4860f
[server]$ ssh-keygen -l -f ssh_host_rsa_key.pub
2048 1e:97:48:ee:f2:8b:40:7d:c1:28:7c:8e:75:e4:70:c1
ssh_host_rsa_key.pub
[server]$
I've placed the SSHFP record generated by "ssh-keygen -r" in my DNS.
I think that was done correctly since I can retrieve the record on
"local":
[local]$ host -t sshfp server
server.home.lan has SSHFP record 1 1
7D039453C6A636B2F00506B72F402B777AC4860F
[local]$
I deleted the "server" entry in my known_hosts file and tried to
connect via ssh (OpenSSH_4.3p2) with DNS host key verification:
[local]$ ssh -o 'VerifyHostKeyDNS ask' server
The authenticity of host 'server (192.168.2.1)' can't be established.
RSA key fingerprint is 1e:97:48:ee:f2:8b:40:7d:c1:28:7c:8e:75:e4:70:c1.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
[local]$
The fingerprint of the host key presented matches the fingerprint
computed on "server" with "ssh-keygen -l" (above).
Thanks,
S
More information about the Ale
mailing list