diff options
| author | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
| commit | d59fd3e421aa81b8e5e118f3f806081df2aca879 (patch) | |
| tree | 356a4e607edc979c625bb33db63c656d771478bd /README.dns | |
| parent | 7505658c58e96b8d270f1928a0e1fa7f3e0c266b (diff) | |
| parent | 45431c9b4677608680cd071768cbf156b316a7e8 (diff) | |
Merge 3.7.1p2 to the trunk. I have absolutely no idea yet whether this will
work.
Diffstat (limited to 'README.dns')
| -rw-r--r-- | README.dns | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/README.dns b/README.dns new file mode 100644 index 000000000..e24092e03 --- /dev/null +++ b/README.dns | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | How to verify host keys using OpenSSH and DNS | ||
| 2 | --------------------------------------------- | ||
| 3 | |||
| 4 | OpenSSH contains experimental support for verifying host keys using DNS | ||
| 5 | as described in draft-ietf-secsh-dns-xx.txt. The document contains | ||
| 6 | very brief instructions on how to test this feature. Configuring DNS | ||
| 7 | and DNSSEC is out of the scope of this document. | ||
| 8 | |||
| 9 | |||
| 10 | (1) Enable DNS fingerprint support in OpenSSH | ||
| 11 | |||
| 12 | configure --with-dns | ||
| 13 | |||
| 14 | (2) Generate and publish the DNS RR | ||
| 15 | |||
| 16 | To create a DNS resource record (RR) containing a fingerprint of the | ||
| 17 | public host key, use the following command: | ||
| 18 | |||
| 19 | ssh-keygen -r hostname -f keyfile -g | ||
| 20 | |||
| 21 | where "hostname" is your fully qualified hostname and "keyfile" is the | ||
| 22 | file containing the public host key file. If you have multiple keys, | ||
| 23 | you should generate one RR for each key. | ||
| 24 | |||
| 25 | In the example above, ssh-keygen will print the fingerprint in a | ||
| 26 | generic DNS RR format parsable by most modern name server | ||
| 27 | implementations. If your nameserver has support for the SSHFP RR, as | ||
| 28 | defined by the draft, you can omit the -g flag and ssh-keygen will | ||
| 29 | print a standard RR. | ||
| 30 | |||
| 31 | To publish the fingerprint using the DNS you must add the generated RR | ||
| 32 | to your DNS zone file and sign your zone. | ||
| 33 | |||
| 34 | |||
| 35 | (3) Enable the ssh client to verify host keys using DNS | ||
| 36 | |||
| 37 | To enable the ssh client to verify host keys using DNS, you have to | ||
| 38 | add the following option to the ssh configuration file | ||
| 39 | ($HOME/.ssh/config or /etc/ssh/ssh_config): | ||
| 40 | |||
| 41 | VerifyHostKeyDNS yes | ||
| 42 | |||
| 43 | Upon connection the client will try to look up the fingerprint RR | ||
| 44 | using DNS. If the fingerprint received from the DNS server matches | ||
| 45 | the remote host key, the user will be notified. | ||
| 46 | |||
| 47 | |||
| 48 | Jakob Schlyter | ||
| 49 | Wesley Griffin | ||
| 50 | |||
| 51 | |||
| 52 | $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ | ||