Project

General

Profile

Demande #950 » SSHFP.txt

Vincent-Xavier JUMEL, 08/23/2012 07:57 AM

 
1
VERIFYING HOST KEYS
2
     When connecting to a server for the first time, a fingerprint of the server's public key is presented to the user (unless the
3
     option StrictHostKeyChecking has been disabled).  Fingerprints can be determined using ssh-keygen(1):
4

    
5
           $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
6

    
7
     If the fingerprint is already known, it can be matched and the key can be accepted or rejected.  Because of the difficulty of
8
     comparing host keys just by looking at hex strings, there is also support to compare host keys visually, using random art.  By
9
     setting the VisualHostKey option to “yes”, a small ASCII graphic gets displayed on every login to a server, no matter if the
10
     session itself is interactive or not.  By learning the pattern a known server produces, a user can easily find out that the
11
     host key has changed when a completely different pattern is displayed.  Because these patterns are not unambiguous however, a
12
     pattern that looks similar to the pattern remembered only gives a good probability that the host key is the same, not guaran‐
13
     teed proof.
14

    
15
     To get a listing of the fingerprints along with their random art for all known hosts, the following command line can be used:
16

    
17
           $ ssh-keygen -lv -f ~/.ssh/known_hosts
18

    
19
     If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified by DNS.  An addi‐
20
     tional resource record (RR), SSHFP, is added to a zonefile and the connecting client is able to match the fingerprint with
21
     that of the key presented.
22

    
23
     In this example, we are connecting a client to a server, “host.example.com”.  The SSHFP resource records should first be added
24
     to the zonefile for host.example.com:
25

    
26
           $ ssh-keygen -r host.example.com.
27

    
28
     The output lines will have to be added to the zonefile.  To check that the zone is answering fingerprint queries:
29

    
30
           $ dig -t SSHFP host.example.com
31

    
32
     Finally the client connects:
33

    
34
           $ ssh -o "VerifyHostKeyDNS ask" host.example.com
35
           [...]
36
           Matching host key fingerprint found in DNS.
37
           Are you sure you want to continue connecting (yes/no)?
38

    
39
     See the VerifyHostKeyDNS option in ssh_config(5) for more information.
40

    
41

    
    (1-1/1)