Brad Alexander wrote: > Has anyone worked with sshfp records for openssh? No. But I do have a suggestion. > I generated sshfp records: > > <host> IN SSHFP 1 1 5490056a2208c8ad2cf869f5c06470450c8a017a > <host> IN SSHFP 2 1 18aef47bc01264709f25ac9daebed236b45b6b45 > > but when I ssh into the host (after deleting the records from > .ssh/known_hosts), I get: > > $ ssh -o VerifyHostKeyDNS=yes <user>@<host> > The authenticity of host 'janeway (192.168.224.52)' can't be established. > RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a. > No matching host key fingerprint found in DNS. > Are you sure you want to continue connecting (yes/no)? > > Anyone got any idea why the key fingerprints aren't matching up? Add more verbosity to the command. For example I see: $ ssh -v -o VerifyHostKeyDNS=yes example.com debug1: Server host key: RSA 1e:c8:2d:20:c7:dc:9b:10:1d:5b:85:bd:4c:95:9a:43 DNS lookup error: name does not exist The authenticity of host 'example.com (192.0.43.10)' can't be established. That "DNS lookup error: name does not exist" tells me in that I do not have sshfp records. Perhaps with more verbosity (adding -v) you will have a similarly information message? Bob
Attachment:
signature.asc
Description: Digital signature