SSHFP record

SSHFP is a type of DNS record, used to store SSH key fingerprints.

Example record
darkstar.fudo.org. IN SSHFP 1 1 253d9636219be6aec03d06359837e0604b370372 darkstar.fudo.org. IN SSHFP 2 1 6c3c958ae43d953f92f40e0d84157f4fe7b4a898 name		class, type, algorithm number, fingerprint type, fingerprint

There are 6 parts to each record, though there is an 7th if you count TTL. These things should be straightforward except for the algorithm and fingerprint type.

As of April 2012, there are 3 algorithms, and two fingerprint types.


 * algo 1 is RSA
 * algo 2 is DSA
 * algo 3 is ECDSA

ECDSA is the newest, and considered most secure. It is available in OpenSSH.


 * fingerprint 1 is SHA-1
 * fingerprint 2 is SHA-256

There are concerns about the security of SHA-1, though nothing demonstrated as of 2012 that would cause it to be considered broken. However, SHA-256 his been implemented to address the concerns about SHA-1.

Finding a host's SSHFP record
To determine the SSHFP of a host, run the following command ON THE HOST you are wondering about.

reaper@france:~$ ssh-keygen -r france.fudo.org france.fudo.org IN SSHFP 1 1 fdbb89b012b66170259a4b773f6eefe5fd782358 france.fudo.org IN SSHFP 1 2 a716e5547c9c4a68f916c06c3b6b7e08fa4d234643ab4b7e6e5eb1c5127f613d france.fudo.org IN SSHFP 2 1 15d314c6c71b99b720906f227c56c8bc9e74e545 france.fudo.org IN SSHFP 2 2 c5be6da4fc7fb09cedde24b98b41ac6ac3782d94785e7d103e89716407a454af france.fudo.org IN SSHFP 3 1 e1a436e31325daa79b803a48a9326a056bc3fbdd france.fudo.org IN SSHFP 3 2 f9e3c9b1df3569c99ea3c5af4e9686d90ae778b484af86d37e96603e9895ea7d

Careful: The argument you give for -r is copied to the name field output, which may not match your actual host mismatched.

Example with bad hostname: reaper@silverstar:~$ ssh-keygen -r whatever.something.fake whatever.something.fake IN SSHFP 1 1 253d9636219be6aec03d06359837e0604b370372 whatever.something.fake IN SSHFP 2 1 6c3c958ae43d953f92f40e0d84157f4fe7b4a898

When ssh-keygen isn't enough
ssh-keygen, as of 2012, is only generating 2 SSHFP records, while 6 types are defined. As of 2016, this has been fixed and is no longer an issue.

So you can produce the SSHFP data in a more manual way.

To create a IN SSHFP 2 1 record: reaper@silverstar:~$ awk '{print $2}' /etc/ssh/ssh_host_dsa_key.pub | openssl base64 -d -A | openssl sha1 (stdin)= 888c42ac003c2bef3a7b7245f96f9b97e6cb645a

Or for IN SSHFP 2 2: reaper@silverstar:~$ awk '{print $2}' /etc/ssh/ssh_host_dsa_key.pub | openssl base64 -d -A | openssl sha256 (stdin)= c0f6e18376b4a69424542e58449720345e3d81a12e95b3db67997f2076ce844f

Or for IN SSHFP 3 2: reaper@silverstar:~$ awk '{print $2}' /etc/ssh/ssh_host_ecdsa_key.pub | openssl base64 -d -A | openssl sha256 (stdin)= 4979bc8265cb6f1cd90cfa81f7009db8e5d57e24f19b83f6d7d155c796c0b4c6

New Hosts
Any new FUDO host running SSH should provide the hostmaster, which is reaper, with the SSHFP of their host, which can be entered in the DNS, and used to verify SSH sessions

Client Usage
You want to ensure that open SSH's client checks DNS for SSHFP records:

Command line
You can specify DNS checking on the command line:

somehost# ssh -o "VerifyHostKeyDNS yes" 

Typing this all the time would be tedious, boring, and a time waste. The next section tells how to turn this option on for all queries.

SSH options
To instruct ssh to check DNS for SSHFP records, you should add the folloing config statement in these files: Host * VerifyHostKeyDNS yes
 * 1)  ~/.ssh/config         -- for just one user
 * 2) /etc/ssh/ssh_config   -- for all users (recommended)