19261079b7
Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
48 lines
1.6 KiB
Plaintext
48 lines
1.6 KiB
Plaintext
How to verify host keys using OpenSSH and DNS
|
|
---------------------------------------------
|
|
|
|
OpenSSH contains support for verifying host keys using DNS as described
|
|
in https://tools.ietf.org/html/rfc4255. The document contains very brief
|
|
instructions on how to use this feature. Configuring DNS is out of the
|
|
scope of this document.
|
|
|
|
|
|
(1) Server: Generate and publish the DNS RR
|
|
|
|
To create a DNS resource record (RR) containing a fingerprint of the
|
|
public host key, use the following command:
|
|
|
|
ssh-keygen -r hostname -f keyfile -g
|
|
|
|
where "hostname" is your fully qualified hostname and "keyfile" is the
|
|
file containing the public host key file. If you have multiple keys,
|
|
you should generate one RR for each key.
|
|
|
|
In the example above, ssh-keygen will print the fingerprint in a
|
|
generic DNS RR format parsable by most modern name server
|
|
implementations. If your nameserver has support for the SSHFP RR
|
|
you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
|
|
|
|
To publish the fingerprint using the DNS you must add the generated RR
|
|
to your DNS zone file and sign your zone.
|
|
|
|
|
|
(2) Client: Enable ssh to verify host keys using DNS
|
|
|
|
To enable the ssh client to verify host keys using DNS, you have to
|
|
add the following option to the ssh configuration file
|
|
($HOME/.ssh/config or /etc/ssh/ssh_config):
|
|
|
|
VerifyHostKeyDNS yes
|
|
|
|
Upon connection the client will try to look up the fingerprint RR
|
|
using DNS. If the fingerprint received from the DNS server matches
|
|
the remote host key, the user will be notified.
|
|
|
|
|
|
Jakob Schlyter
|
|
Wesley Griffin
|
|
|
|
|
|
$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
|