diff options
author | Damien Miller <djm@mindrot.org> | 2003-05-15 10:19:46 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2003-05-15 10:19:46 +1000 |
commit | 37876e913a069036501086a247ed2ea430cea206 (patch) | |
tree | 8294744f47011c82b63ec0b46f4449ff4f26ec7c /README.dns | |
parent | abbae980e7532da68e7f6aa1da716fb69e7521ad (diff) |
- jakob@cvs.openbsd.org 2003/05/14 18:16:20
[key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c]
[dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c]
add experimental support for verifying hos keys using DNS as described
in draft-ietf-secsh-dns-xx.txt. more information in README.dns.
ok markus@ and henning@
Diffstat (limited to 'README.dns')
-rw-r--r-- | README.dns | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/README.dns b/README.dns new file mode 100644 index 000000000..d6889b9a5 --- /dev/null +++ b/README.dns | |||
@@ -0,0 +1,55 @@ | |||
1 | How to verify host keys using OpenSSH and DNS | ||
2 | --------------------------------------------- | ||
3 | |||
4 | OpenSSH contains experimental support for verifying host keys using DNS | ||
5 | as described in draft-ietf-secsh-dns-xx.txt. The document contains | ||
6 | very brief instructions on how to test this feature. Configuring DNS | ||
7 | and DNSSEC is out of the scope of this document. | ||
8 | |||
9 | |||
10 | (1) Enable DNS fingerprint support in OpenSSH | ||
11 | |||
12 | Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing | ||
13 | |||
14 | CFLAGS+= -DDNS | ||
15 | |||
16 | |||
17 | (2) Generate and publish the DNS RR | ||
18 | |||
19 | To create a DNS resource record (RR) containing a fingerprint of the | ||
20 | public host key, use the following command: | ||
21 | |||
22 | ssh-keygen -r hostname -f keyfile -g | ||
23 | |||
24 | where "hostname" is your fully qualified hostname and "keyfile" is the | ||
25 | file containing the public host key file. If you have multiple keys, | ||
26 | you should generate one RR for each key. | ||
27 | |||
28 | In the example above, ssh-keygen will print the fingerprint in a | ||
29 | generic DNS RR format parsable by most modern name server | ||
30 | implementations. If your nameserver has support for the SSHFP RR, as | ||
31 | defined by the draft, you can omit the -g flag and ssh-keygen will | ||
32 | print a standard RR. | ||
33 | |||
34 | To publish the fingerprint using the DNS you must add the generated RR | ||
35 | to your DNS zone file and sign your zone. | ||
36 | |||
37 | |||
38 | (3) Enable the ssh client to verify host keys using DNS | ||
39 | |||
40 | To enable the ssh client to verify host keys using DNS, you have to | ||
41 | add the following option to the ssh configuration file | ||
42 | ($HOME/.ssh/config or /etc/ssh/ssh_config): | ||
43 | |||
44 | VerifyHostKeyDNS yes | ||
45 | |||
46 | Upon connection the client will try to look up the fingerprint RR | ||
47 | using DNS. If the fingerprint received from the DNS server matches | ||
48 | the remote host key, the user will be notified. | ||
49 | |||
50 | |||
51 | Jakob Schlyter | ||
52 | Wesley Griffin | ||
53 | |||
54 | |||
55 | $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ | ||