I hate getting this prompt:
[email protected]:~# ssh server.somehost.com The authenticity of host 'server.somehost.com (188.8.131.52)' can't be established. RSA key fingerprint is e6:fa:89:4d:c4:03:8e:09:1b:e5:b1:3c:ec:5f:8e:a3. Are you sure you want to continue connecting (yes/no)?
If you see it often enough you probably ignore it – it then loses its purpose if you find yourself blindly typing yes. SSHFP records stop that happening. As I secure my DNS zone with DNSSEC already I think this is an acceptable way of verifying the host at the other end. If you don’t have DNSSEC enabled on your zone it isn’t best practice to enable this – but for personal use I would say its fine.
To get started, install the sshfp package. This gives you a simple command line interface to generate the SSHFP records. Once installed simply run the command with the host as an argument:
[email protected]:~# sshfp server.somehost.com server.somehost.com IN SSHFP 1 1 0b956a6d891305b61af6cc148be4f53d68e7c163 server.somehost.com IN SSHFP 2 1 7cf821750ca6736837515903ffb3f82b4c8fa230
Add the generated records to your DNS zone – make sure the type is set to SSHFP (most DNS servers should support this, PowerDNS does, TinyDNS needs a record builder and Bind does). Validate the record actually gets served using dig:
[email protected]:~# dig SSHFP server.somehost.com ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SSHFP server.somehost.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25380 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;server.somehost.com. IN SSHFP ;; ANSWER SECTION: server.somehost.com. 296 IN SSHFP 1 1 0b956a6d891305b61af6cc148be4f53d68e7c163 server.somehost.com. 296 IN SSHFP 2 1 7cf821750ca6736837515903ffb3f82b4c8fa230 ;; Query time: 76 msec ;; SERVER: 10.0.0.254#53(10.0.0.254) ;; WHEN: Mon Aug 12 03:10:13 2013 ;; MSG SIZE rcvd: 97
You can now enable this in your ssh_config - to set this server wide edit
/etc/ssh/ssh_config and add
VerifyHostKeyDNS yes under
Host * like this:
Host * VerifyHostKeyDNS yes # ForwardAgent no # ForwardX11 no .....
Now when you connect to the host it will check the record from DNS - to verify this connect to the host with debugging enabled and look for the DNS lines:
[email protected]:~# ssh -v server.somehost.com OpenSSH_5.5p1 Debian-6+squeeze3, OpenSSL 0.9.8o 01 Jun 2010 ..... debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug1: ssh_rsa_verify: signature correct ..... Last login: Mon Aug 12 03:05:02 2013 from me [email protected]:~#
another flag – is VisualHostKey – kind of goes with the VerifyHostKeyDNS.