diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | README.dns | 23 |
2 files changed, 13 insertions, 15 deletions
@@ -33,6 +33,9 @@ | |||
33 | - jakob@cvs.openbsd.org 2003/10/14 19:42:10 | 33 | - jakob@cvs.openbsd.org 2003/10/14 19:42:10 |
34 | [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] | 34 | [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] |
35 | include SSHFP lookup code (not enabled by default). ok markus@ | 35 | include SSHFP lookup code (not enabled by default). ok markus@ |
36 | - jakob@cvs.openbsd.org 2003/10/14 19:43:23 | ||
37 | [README.dns] | ||
38 | update | ||
36 | 39 | ||
37 | 20031009 | 40 | 20031009 |
38 | - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ | 41 | - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ |
@@ -1350,4 +1353,4 @@ | |||
1350 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 1353 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
1351 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 1354 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
1352 | 1355 | ||
1353 | $Id: ChangeLog,v 1.3077 2003/10/15 06:00:47 dtucker Exp $ | 1356 | $Id: ChangeLog,v 1.3078 2003/10/15 06:07:53 dtucker Exp $ |
diff --git a/README.dns b/README.dns index e24092e03..97879183e 100644 --- a/README.dns +++ b/README.dns | |||
@@ -1,17 +1,13 @@ | |||
1 | How to verify host keys using OpenSSH and DNS | 1 | How to verify host keys using OpenSSH and DNS |
2 | --------------------------------------------- | 2 | --------------------------------------------- |
3 | 3 | ||
4 | OpenSSH contains experimental support for verifying host keys using DNS | 4 | OpenSSH contains support for verifying host keys using DNS as described in |
5 | as described in draft-ietf-secsh-dns-xx.txt. The document contains | 5 | draft-ietf-secsh-dns-05.txt. The document contains very brief instructions |
6 | very brief instructions on how to test this feature. Configuring DNS | 6 | on how to use this feature. Configuring DNS is out of the scope of this |
7 | and DNSSEC is out of the scope of this document. | 7 | document. |
8 | 8 | ||
9 | 9 | ||
10 | (1) Enable DNS fingerprint support in OpenSSH | 10 | (1) Server: Generate and publish the DNS RR |
11 | |||
12 | configure --with-dns | ||
13 | |||
14 | (2) Generate and publish the DNS RR | ||
15 | 11 | ||
16 | To create a DNS resource record (RR) containing a fingerprint of the | 12 | To create a DNS resource record (RR) containing a fingerprint of the |
17 | public host key, use the following command: | 13 | public host key, use the following command: |
@@ -24,15 +20,14 @@ you should generate one RR for each key. | |||
24 | 20 | ||
25 | In the example above, ssh-keygen will print the fingerprint in a | 21 | In the example above, ssh-keygen will print the fingerprint in a |
26 | generic DNS RR format parsable by most modern name server | 22 | generic DNS RR format parsable by most modern name server |
27 | implementations. If your nameserver has support for the SSHFP RR, as | 23 | implementations. If your nameserver has support for the SSHFP RR |
28 | defined by the draft, you can omit the -g flag and ssh-keygen will | 24 | you can omit the -g flag and ssh-keygen will print a standard SSHFP RR. |
29 | print a standard RR. | ||
30 | 25 | ||
31 | To publish the fingerprint using the DNS you must add the generated RR | 26 | To publish the fingerprint using the DNS you must add the generated RR |
32 | to your DNS zone file and sign your zone. | 27 | to your DNS zone file and sign your zone. |
33 | 28 | ||
34 | 29 | ||
35 | (3) Enable the ssh client to verify host keys using DNS | 30 | (2) Client: Enable ssh to verify host keys using DNS |
36 | 31 | ||
37 | To enable the ssh client to verify host keys using DNS, you have to | 32 | To enable the ssh client to verify host keys using DNS, you have to |
38 | add the following option to the ssh configuration file | 33 | add the following option to the ssh configuration file |
@@ -49,4 +44,4 @@ the remote host key, the user will be notified. | |||
49 | Wesley Griffin | 44 | Wesley Griffin |
50 | 45 | ||
51 | 46 | ||
52 | $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ | 47 | $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ |