Projet

Général

Profil

Demande #950 » SSHFP.txt

Vincent-Xavier JUMEL, 23/08/2012 07:57

 
VERIFYING HOST KEYS
When connecting to a server for the first time, a fingerprint of the server's public key is presented to the user (unless the
option StrictHostKeyChecking has been disabled). Fingerprints can be determined using ssh-keygen(1):

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

If the fingerprint is already known, it can be matched and the key can be accepted or rejected. Because of the difficulty of
comparing host keys just by looking at hex strings, there is also support to compare host keys visually, using random art. By
setting the VisualHostKey option to “yes”, a small ASCII graphic gets displayed on every login to a server, no matter if the
session itself is interactive or not. By learning the pattern a known server produces, a user can easily find out that the
host key has changed when a completely different pattern is displayed. Because these patterns are not unambiguous however, a
pattern that looks similar to the pattern remembered only gives a good probability that the host key is the same, not guaran‐
teed proof.

To get a listing of the fingerprints along with their random art for all known hosts, the following command line can be used:

$ ssh-keygen -lv -f ~/.ssh/known_hosts

If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified by DNS. An addi‐
tional resource record (RR), SSHFP, is added to a zonefile and the connecting client is able to match the fingerprint with
that of the key presented.

In this example, we are connecting a client to a server, “host.example.com”. The SSHFP resource records should first be added
to the zonefile for host.example.com:

$ ssh-keygen -r host.example.com.

The output lines will have to be added to the zonefile. To check that the zone is answering fingerprint queries:

$ dig -t SSHFP host.example.com

Finally the client connects:

$ ssh -o "VerifyHostKeyDNS ask" host.example.com
[...]
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

See the VerifyHostKeyDNS option in ssh_config(5) for more information.


    (1-1/1)