Linux and PHP web application support and development (Bromsgrove, UK)

tel: 0845 0046746

SSH fingerprint (sshfp) dns records

To help aid security for SSH connections, you can publish ‘SSHFP’ records in DNS which contain a fingerprint of a server’s ssh host key.

If DNSSEC is in use throughout the DNS hierarchy then it ought to provide a trusted way of verifying remote hosts when no record already exists in your ~/.ssh/known_hosts file.

To create the actual records for sshfp within DNS, you need to get hold of the ‘sshfp’ utility (apt-get install sshfp or yum install hash-slinger)

For a specific host, you can do ‘sshfp -qs <hostname>’ which will produce something like :

foobar.palepurple.co.uk IN SSHFP 1 1 9676BB7A92C7E11B90E9508A343A4CAE9888B43D
foobar.palepurple.co.uk IN SSHFP 2 1 D4F49CE2195A0BF531275B889ED6ABFF2F24C2BC

If you’re using Bind for DNS, then it should be quite easy to add in (copy+paste).

If you’re using TinyDNS, then it needs converting – using something like the perl script below :

sshfp -qs foobar.palepurple.co.uk | perl ssh-fp-converter.pl

which will output something like :

:foobar.palepurple.co.uk:44:\001\001\226\166\273\172\222\307\341\033\220\351\120\212\064\072\114\256\230\210\264\075:
:foobar.palepurple.co.uk:44:\002\001\324\364\234\342\031\132\013\365\061\047\133\210\236\326\253\377\057\044\302\274:

Once the records are published, then you can tell SSH to check/verify against DNS – for example :

ssh -oVerifyHostKeyDNS=yes -v user@foobar.palepurple.co.uk

If you do not have DNSSEC implemented, or the keys do not match up, you’ll see output an

“Error calculating host key fingerprint.”

If the keys do match up, and you’re using DNSSEC, it should skip asking you to confirm the host key verification.

ssh-fp-converter.pl :

#!/usr/bin/perl

use strict;

# Take in, e.g. :
# foobar.palepurple.co.uk IN SSHFP 1 1 9676BB7A92C7E11B90E9508A343A4CAE9888B43D";
# foobar.palepurple.co.uk IN SSHFP 2 1 D4F49CE2195A0BF531275B889ED6ABFF2F24C2BC
# on standard input, and output the appropriate tinydns records for sshfp -
# e.g. 
# :foobar.palepurple.co.uk:44:\001\001\226\166\273\172\222\307\341\033\220\351\120\212\064\072\114\256\230\210\264\075:
# :foobar.palepurple.co.uk:44:\002\001\324\364\234\342\031\132\013\365\061\047\133\210\236\326\253\377\057\044\302\274:

while() {
    chop;
    my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $_;
    my $out = sprintf("\\%03o\\%03o", $alg, $fptype);
    for (my $i = 0; $i < length($fp); $i += 2) {
        $out .= sprintf("\\%03o", hex substr($fp, $i, 2));
    }
    printf(":%s:44:%s:\n", $host, $out);
}

(Script above is also on github at : https://gist.github.com/palepurple/9546745 )

, ,

One thought on “SSH fingerprint (sshfp) dns records

  • Mike says:

    Hi,

    A few comments:

    1. there’s a bug in the script, while should contain the diamond operator while()

    2. with tinydns, you can set a TTL and location by appending to the end of the generated lines 3600::IN (set your TTL to 1 hour and this record is for the INternal zone).

Leave a Reply

Your email address will not be published. Required fields are marked *