pmeerw's blog

Sat, 17 Dec 2022

Using DNS to securely publish SSH key fingerprints

Another nice article showing off DNSSEC strength...

Generate SSHFP DNS records for by host (pmeerw.net):

$ ssh-keygen -r @
@ IN SSHFP 1 1 3b00267ed86c211026e6d8b8eb5d9a7d9e51cf7d
@ IN SSHFP 1 2 189d464e8a13d2df66d882afdcb4220fb281ba1f19eda96aa35bf1a50188b0a7
@ IN SSHFP 2 1 adb06e3c4de279d2338bbec35a9a64c8661fb431
@ IN SSHFP 2 2 50e72d460ea86ad416b74b71f9b0c948bf42004ebf730290eff9d43fea9545a6
@ IN SSHFP 3 1 aaa45514f6bd534448ab7f09842fe1e13c269142
@ IN SSHFP 3 2 cc68f391aea002966cc3d7e84ce41dc73d4cfb6c2381e5b665f26603f8317dd3
@ IN SSHFP 4 1 7482ed5e3e6621978bd0bbd61f6b9740dcef252c
@ IN SSHFP 4 2 eb77b6f29bee067d6524459e4cfc696881bd70908d514be682cb068746729594

SSH can silently connect to an SSH server (without asking to verify the host fingerprint!) if VerifyHostKeyDNS is enabled: ssh -o VerifyHostKeyDNS=yes pmeerw@pmeerw.net.

posted at: 22:58 | path: /configuration | permanent link

Made with PyBlosxom