You are located in service: DNS (Domain Name Service)

SSHFP

SSHFP

Kurzinformation

All persons authorized for the DNS-Admin can now store so-called Secure Shell Fingerprints (SSHFP) in the DNS via individual entries or a mass import (see RFC 4255, 6594 and 7479. The structure of this record type (for detailed parameters see iana.org) is:

<$SERVER.$DOMAIN.rwth-aachen.de.> [<TTL in seconds>] [<Class>] SSHFP <number of the algorithm> <number of the hash type> <hexadecimal fingerprint>
Information on algorithm and hash type
  1. Generate SSHFP
    • on the server

      sudo ssh-keygen -r $HOSTNAME.$DOMAIN.rwth-aachen.de.
    • remote(via grabsshfp.sh)

      /grabsshfp.sh $HOSTNAME.$DOMAIN.rwth-aachen.de.
  2. Consider SSHFP when establishing a connection
    • per request

      ssh -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$DOMAIN.rwth-aachen.de.
      ssh -o FingerprintHash=sha256 -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$DOMAIN.rwth-aachen.de.
    • gloabe SSH Client Configuration (all SSH connections from one computer, see "Hostname canonicalisation in OpenSSH)

      /etc/ssh/ssh_config
      CanonicalizeHostname yes
      CanonicalDomains $DOMAIN.rwth-aachen.de
      CanonicalizeMaxDots 0
      CanonicalizeFallbackLocal no
      VerifyHostKeyDNS yes

last changed on 29.01.2021

How did this content help you?