SSHFP is SSH Fingerprint in the DNS. Before newer versions of Microsoft Windows, there was only PuTTY like applications to SSH from Microsoft Windows computers. Newer versions officially has Ubuntu Terminal, which needs to be configured. As from Android, there is Terminux application. It is obvious that Mac has iTerm2 and Terminal and GNU/Linux has Terminal. So, nobody should have trouble to use SSHFP. In our older guides we discussed how to deploy DNSSEC. This Tutorial Must Be Tested on Development Server to Learn Before Deploying on Production Server. Here is How to Configure and Setup SSHFP. It is a serious matter to deploy.
Needed Steps to Configure and Setup SSHFP
SSHFP record is a type of record in the DNS which identifies SSH keys which is associated with a host name. The acquisition needs to be secured with DNSSEC for a chain of trust. OpenSSH client can check the fingerprint of an SSH server and compare it to the SSHFP record in DNS. Here is corresponding RFC :
1 | https://tools.ietf.org/html/rfc4255 |
SSHFP record has three things – algorithm, fingerprint type and the fingerprint in hex. There are four algorithms defined in SSHFP – RSA, DSA, ECDSA and Ed25519. Two fingerprint types are SHA-1 and SHA-256.
---
Using Ed25519 in SSHFP record probably better and using fingerprint type SHA-256 is practical.
Normally when we connect :
1 | ssh root@thecustomizewindows.com |
Then we receive :
1 2 3 | The authenticity of host 'thecustomizewindows.com (big string)' can't be established. ECDSA key fingerprint is <another string>. Are you sure you want to continue connecting (yes/no)? |
We hit yes as no normal human checks the fingerprint. That is the point where it is possible to have Man-in-the-Middle attack.
The only required step to distribute the SSH fingerprints within the DNS to generated it on SSH server itself :
1 | ssh-keygen -r name |
After the records are placed into the DNS server zone and signed via DNSSEC, they can be validated via DNSSEC. If we open :
1 | nano /etc/ssh/ssh_config |
We will find :
1 | VerifyHostKeyDNS no |
That need to be made to be yes and service restarted. If you SSH in this way :
1 | ssh -o VerifyHostKeyDNS=yes root@thecustomizewindows.com |
then you’ll receive this response :
1 2 3 4 | The authenticity of host 'thecustomizewindows.com (big string)' can't be established. ECDSA key fingerprint is <another string>. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? |
You can use this kind of script to automate :
1 | https://github.com/northox/2sshfp |
Many of the premium DNS supports DNSSEC and SSHFP. In real, you need to read their instruction.
Tagged With freebsd ssh fingerprint not matched dns , how to automate ecdsa fingerprint setup , how to automate ECDSA fingerprint SHA by shellscript , No matching host key fingerprint found in DNS , sshfp , sshfp openssh