SSHFP Resource Record (SSHFP for Secure Shell (Key) Fingerprint) is a DNS resource record for SSH keys.
Contents
Structure
<Name> [<TTL>] [<Class>] SSHFP <Algorithm> <Type> <Fingerprint>Example
host.example.com. SSHFP 2 1 123456789abcdef67890123456789abcdef67890A client can determine in this example, the host with the DNS name host.example.com a DSA key used with the SHA-1 fingerprint "123456789abcdef67890123456789abcdef67890".
Use with OpenSSH Client
OpenSSH client can check the Fingerprint of the SSH Server and compare it to the DNS SSHFP record entry, but it is disabled by default. To force the check, you must use the VerifyHostKeyDNS ask option. You can put it in your ~/config file or directly in your /etc/ssh/ssh_config file. Example :
$ ssh -o "VerifyHostKeyDNS ask" host.example.com [...] Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?Use ssh-keygen command
The ssh-keygen unix command can rapidly and directly generate all entry to insert in your DNS.
# ssh-keygen -r www.example.com www.example.com IN SSHFP 1 1 5f2f2e0676798a0273572bc77b99d6319a560fd5 www.example.com IN SSHFP 1 2 f5ae7764148c8f587996e5be3324286bdd1e9b935caaf3ff0ed3c9bbc0152097 www.example.com IN SSHFP 2 1 9b913ce5339f8761c26a2ed755156d4785042b2d www.example.com IN SSHFP 2 2 15477282e6a510a6c534e61f1df40d3750edcf86c6f4bf2ab5a964ccada7be3d www.example.com IN SSHFP 3 1 1262006f9a45bb36b1aa14f45f354b694b77d7c3 www.example.com IN SSHFP 3 2 e5921564252fe10d2dbafeb243733ed8b1d165b8fa6d5a0e29198e5793f0623bReferences
SSHFP Resource Record Wikipedia(Text) CC BY-SA