pmeerw's blog

17 Dec 2022

Sat, 17 Dec 2022

Using DNS to securely publish SSH key fingerprints

Another nice article showing off DNSSEC strength...

Generate SSHFP DNS records for by host (pmeerw.net): 

$ ssh-keygen -r @
@ IN SSHFP 1 1 3b00267ed86c211026e6d8b8eb5d9a7d9e51cf7d
@ IN SSHFP 1 2 189d464e8a13d2df66d882afdcb4220fb281ba1f19eda96aa35bf1a50188b0a7
@ IN SSHFP 2 1 adb06e3c4de279d2338bbec35a9a64c8661fb431
@ IN SSHFP 2 2 50e72d460ea86ad416b74b71f9b0c948bf42004ebf730290eff9d43fea9545a6
@ IN SSHFP 3 1 aaa45514f6bd534448ab7f09842fe1e13c269142
@ IN SSHFP 3 2 cc68f391aea002966cc3d7e84ce41dc73d4cfb6c2381e5b665f26603f8317dd3
@ IN SSHFP 4 1 7482ed5e3e6621978bd0bbd61f6b9740dcef252c
@ IN SSHFP 4 2 eb77b6f29bee067d6524459e4cfc696881bd70908d514be682cb068746729594

SSH can silently connect to an SSH server (without asking to verify the host fingerprint!) if VerifyHostKeyDNS is enabled: ssh -o VerifyHostKeyDNS=yes pmeerw@pmeerw.net.

posted at: 22:58 | path: /configuration | permanent link

PGP Key Distribution via DNSSEC: OPENPGPKEY

RFC7929 describes a way to put OpenPGP public keys into DNS using DANE. Here's an article which I shamelessly condense here...

There is a DNS resource record that stores the complete public key. I'm using ECC to bring down key size. It looks like this: 

c746aa6d791946caf1aade6dc6c5e720e6e79d650e5b882dc11a2078._openpgpkey.pmeerw.net. IN OPENPGPKEY (
                  mDMEY54vtRYJKwYBBAHaRw8BAQdAmhK78RNv+Azsrrcgnb4Ijf4JwEOfHM8D
                  paY2yy1w0oG0KlBldGVyIE1lZXJ3YWxkLVN0YWRsZXIgPHBtZWVyd0BwbWVl
                  cncubmV0PoiQBBMWCAA4FiEE5u5nS8lBNCYy5igrw5J6UWK+XtEFAmOeL7UC
                  GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQw5J6UWK+XtE+dAD/dZAp
                  If2WWK2fAQgGIxOepBr6Nj2g6Z78W25wyYiSxvIA/1VtCuCsveRGmKZ0wnuQ
                  kJP4z3v+r/XdjRJeingYSnsKuDgEY54vtRIKKwYBBAGXVQEFAQEHQPCrzg3G
                  IRhYWFdUkps1DSqmLEZ5xQX6D96jYpq28Lp1AwEIB4h4BBgWCAAgFiEE5u5n
                  S8lBNCYy5igrw5J6UWK+XtEFAmOeL7UCGwwACgkQw5J6UWK+XtGQyQD/RD1d
                  zIk/Kjnb1yKcW+GAIHkpahgEQzpk7Bcxk38ReaAA/j2ZoXGMeMNVlJdOIv7d
                  gr/Hw9ygwxInPg9Nth2wpKoB
)
The name part is the SHA-256 hash of "pmeerw". You can use the command openpgpkey --create pmeerw@pmeerw.net to create the record (install the Debian/Ubuntu hash-slinger package).

Try openpgpkey.info to query a PGP public key!

posted at: 22:49 | path: /configuration | permanent link

Made with PyBlosxom