From 37876e913a069036501086a247ed2ea430cea206 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 10:19:46 +1000 Subject: - jakob@cvs.openbsd.org 2003/05/14 18:16:20 [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c] [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c] add experimental support for verifying hos keys using DNS as described in draft-ietf-secsh-dns-xx.txt. more information in README.dns. ok markus@ and henning@ --- README.dns | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 README.dns (limited to 'README.dns') diff --git a/README.dns b/README.dns new file mode 100644 index 000000000..d6889b9a5 --- /dev/null +++ b/README.dns @@ -0,0 +1,55 @@ +How to verify host keys using OpenSSH and DNS +--------------------------------------------- + +OpenSSH contains experimental support for verifying host keys using DNS +as described in draft-ietf-secsh-dns-xx.txt. The document contains +very brief instructions on how to test this feature. Configuring DNS +and DNSSEC is out of the scope of this document. + + +(1) Enable DNS fingerprint support in OpenSSH + +Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing + + CFLAGS+= -DDNS + + +(2) Generate and publish the DNS RR + +To create a DNS resource record (RR) containing a fingerprint of the +public host key, use the following command: + + ssh-keygen -r hostname -f keyfile -g + +where "hostname" is your fully qualified hostname and "keyfile" is the +file containing the public host key file. If you have multiple keys, +you should generate one RR for each key. + +In the example above, ssh-keygen will print the fingerprint in a +generic DNS RR format parsable by most modern name server +implementations. If your nameserver has support for the SSHFP RR, as +defined by the draft, you can omit the -g flag and ssh-keygen will +print a standard RR. + +To publish the fingerprint using the DNS you must add the generated RR +to your DNS zone file and sign your zone. + + +(3) Enable the ssh client to verify host keys using DNS + +To enable the ssh client to verify host keys using DNS, you have to +add the following option to the ssh configuration file +($HOME/.ssh/config or /etc/ssh/ssh_config): + + VerifyHostKeyDNS yes + +Upon connection the client will try to look up the fingerprint RR +using DNS. If the fingerprint received from the DNS server matches +the remote host key, the user will be notified. + + + Jakob Schlyter + Wesley Griffin + + +$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ -- cgit v1.2.3 From 5975cf12c309735fe3fd6a81782d46a11d166437 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 13:23:36 +1000 Subject: - (djm) Adapt README.dns for portable --- ChangeLog | 3 ++- README.dns | 5 +---- 2 files changed, 3 insertions(+), 5 deletions(-) (limited to 'README.dns') diff --git a/ChangeLog b/ChangeLog index 31948be5b..32de30915 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ - (djm) Configure glue for DNS support (code doesn't work in portable yet) - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support) - (djm) Tidy Makefile clean targets + - (djm) Adapt README.dns for portable 20030514 - (djm) Bug #117: Don't lie to PAM about username @@ -1498,4 +1499,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2708 2003/05/15 03:23:07 djm Exp $ +$Id: ChangeLog,v 1.2709 2003/05/15 03:23:36 djm Exp $ diff --git a/README.dns b/README.dns index d6889b9a5..e24092e03 100644 --- a/README.dns +++ b/README.dns @@ -9,10 +9,7 @@ and DNSSEC is out of the scope of this document. (1) Enable DNS fingerprint support in OpenSSH -Edit /usr/src/usr.bin/ssh/Makefile.inc and uncomment the line containing - - CFLAGS+= -DDNS - + configure --with-dns (2) Generate and publish the DNS RR -- cgit v1.2.3