SSHFP records

I hate getting this prompt:

root@home:~# ssh server.somehost.com
The authenticity of host 'server.somehost.com (123.123.123.123)' can't be established.
RSA key fingerprint is e6:fa:89:4d:c4:03:8e:09:1b:e5:b1:3c:ec:5f:8e:a3.
Are you sure you want to continue connecting (yes/no)?

If you see it often enough you probably ignore it – it then loses its purpose if you find yourself blindly typing yes. SSHFP records stop that happening. As I secure my DNS zone with DNSSEC already I think this is an acceptable way of verifying the host at the other end. If you don’t have DNSSEC enabled on your zone it isn’t best practice to enable this – but for personal use I would say its fine.


To get started, install the sshfp package. This gives you a simple command line interface to generate the SSHFP records. Once installed simply run the command with the host as an argument:

root@home:~# sshfp server.somehost.com
server.somehost.com IN SSHFP 1 1 0b956a6d891305b61af6cc148be4f53d68e7c163
server.somehost.com IN SSHFP 2 1 7cf821750ca6736837515903ffb3f82b4c8fa230

Add the generated records to your DNS zone – make sure the type is set to SSHFP (most DNS servers should support this, PowerDNS does, TinyDNS needs a record builder and Bind does). Validate the record actually gets served using dig:

root@home:~# dig SSHFP server.somehost.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SSHFP server.somehost.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25380
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;server.somehost.com.                   IN      SSHFP

;; ANSWER SECTION:
server.somehost.com.            296     IN      SSHFP   1 1 0b956a6d891305b61af6cc148be4f53d68e7c163
server.somehost.com.            296     IN      SSHFP   2 1 7cf821750ca6736837515903ffb3f82b4c8fa230

;; Query time: 76 msec
;; SERVER: 10.0.0.254#53(10.0.0.254)
;; WHEN: Mon Aug 12 03:10:13 2013
;; MSG SIZE  rcvd: 97

You can now enable this in your ssh_config - to set this server wide edit /etc/ssh/ssh_config and add VerifyHostKeyDNS yes under Host * like this:

Host *
    VerifyHostKeyDNS yes
#   ForwardAgent no
#   ForwardX11 no
.....

Now when you connect to the host it will check the record from DNS - to verify this connect to the host with debugging enabled and look for the DNS lines:

root@home:~# ssh -v server.somehost.com
OpenSSH_5.5p1 Debian-6+squeeze3, OpenSSL 0.9.8o 01 Jun 2010
.....
debug1: found 2 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: ssh_rsa_verify: signature correct
.....
Last login: Mon Aug 12 03:05:02 2013 from me
root@server:~#
Posted in DNS, Linux and tagged , , , .

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *