diff options
Diffstat (limited to 'README.dns')
-rw-r--r-- | README.dns | 23 |
1 files changed, 9 insertions, 14 deletions
diff --git a/README.dns b/README.dns index e24092e03..97879183e 100644 --- a/README.dns +++ b/README.dns | |||
@@ -1,17 +1,13 @@ | |||
1 | How to verify host keys using OpenSSH and DNS | 1 | How to verify host keys using OpenSSH and DNS |
2 | --------------------------------------------- | 2 | --------------------------------------------- |
3 | 3 | ||
4 | OpenSSH contains experimental support for verifying host keys using DNS | 4 | OpenSSH contains support for verifying host keys using DNS as described in |
5 | as described in draft-ietf-secsh-dns-xx.txt. The document contains | 5 | draft-ietf-secsh-dns-05.txt. The document contains very brief instructions |
6 | very brief instructions on how to test this feature. Configuring DNS | 6 | on how to use this feature. Configuring DNS is out of the scope of this |
7 | and DNSSEC is out of the scope of this document. | 7 | document. |
8 | 8 | ||
9 | 9 | ||
10 | (1) Enable DNS fingerprint support in OpenSSH | 10 | (1) Server: Generate and publish the DNS RR |
11 | |||
12 | configure --with-dns | ||
13 | |||
14 | (2) Generate and publish the DNS RR | ||
15 | 11 | ||
16 | To create a DNS resource record (RR) containing a fingerprint of the | 12 | To create a DNS resource record (RR) containing a fingerprint of the |
17 | public host key, use the following command: | 13 | public host key, use the following command: |
@@ -24,15 +20,14 @@ you should generate one RR for each key. | |||
24 | 20 | ||
25 | In the example above, ssh-keygen will print the fingerprint in a | 21 | In the example above, ssh-keygen will print the fingerprint in a |
26 | generic DNS RR format parsable by most modern name server | 22 | generic DNS RR format parsable by most modern name server |
27 | implementations. If your nameserver has support for the SSHFP RR, as | 23 | implementations. If your nameserver has support for the SSHFP RR |
28 | defined by the draft, you can omit the -g flag and ssh-keygen will | 24 | you can omit the -g flag and ssh-keygen will print a standard SSHFP RR. |
29 | print a standard RR. | ||
30 | 25 | ||
31 | To publish the fingerprint using the DNS you must add the generated RR | 26 | To publish the fingerprint using the DNS you must add the generated RR |
32 | to your DNS zone file and sign your zone. | 27 | to your DNS zone file and sign your zone. |
33 | 28 | ||
34 | 29 | ||
35 | (3) Enable the ssh client to verify host keys using DNS | 30 | (2) Client: Enable ssh to verify host keys using DNS |
36 | 31 | ||
37 | To enable the ssh client to verify host keys using DNS, you have to | 32 | To enable the ssh client to verify host keys using DNS, you have to |
38 | add the following option to the ssh configuration file | 33 | add the following option to the ssh configuration file |
@@ -49,4 +44,4 @@ the remote host key, the user will be notified. | |||
49 | Wesley Griffin | 44 | Wesley Griffin |
50 | 45 | ||
51 | 46 | ||
52 | $OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ | 47 | $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ |