to Homepage
You are located in service DNS (Domain Name Service)
General information
Record Types And How To Use Them
IT Center Help

You are located in service: DNS (Domain Name Service)

SSHFP
Print page

SSHFP

Kurzinformation

All persons authorized for the DNS-Admin can now store so-called Secure Shell Fingerprints (SSHFP) in the DNS via individual entries or a mass import (see RFC 4255, 6594 and 7479. The structure of this record type (for detailed parameters see iana.org) is:

<$SERVER.$DOMAIN.rwth-aachen.de.> [<TTL in seconds>] [<Class>] SSHFP <number of the algorithm> <number of the hash type> <hexadecimal fingerprint>
Information on algorithm and hash type
  1. Generate SSHFP

    • on the server

      sudo ssh-keygen -r $HOSTNAME.$DOMAIN.rwth-aachen.de.

    • remote(via grabsshfp.sh)

      /grabsshfp.sh $HOSTNAME.$DOMAIN.rwth-aachen.de.
  2. Consider SSHFP when establishing a connection

    • per request

      ssh -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$DOMAIN.rwth-aachen.de.
      ssh -o FingerprintHash=sha256 -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$DOMAIN.rwth-aachen.de.

    • gloabe SSH Client Configuration (all SSH connections from one computer, see "Hostname canonicalisation in OpenSSH)

      /etc/ssh/ssh_config
      CanonicalizeHostname yes
      CanonicalDomains $DOMAIN.rwth-aachen.de
      CanonicalizeMaxDots 0
      CanonicalizeFallbackLocal no
      VerifyHostKeyDNS yes

last changed on 03/27/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License
Chat