[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sshfp records



Brad Alexander wrote:
> Has anyone worked with sshfp records for openssh?

No.  But I do have a suggestion.

> I generated sshfp records:
> 
> <host> IN SSHFP 1 1 5490056a2208c8ad2cf869f5c06470450c8a017a
> <host> IN SSHFP 2 1 18aef47bc01264709f25ac9daebed236b45b6b45
> 
> but when I ssh into the host (after deleting the records from
> .ssh/known_hosts), I get:
> 
> $ ssh -o VerifyHostKeyDNS=yes <user>@<host>
> The authenticity of host 'janeway (192.168.224.52)' can't be established.
> RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a.
> No matching host key fingerprint found in DNS.
> Are you sure you want to continue connecting (yes/no)?
> 
> Anyone got any idea why the key fingerprints aren't matching up?

Add more verbosity to the command.  For example I see:

  $ ssh -v -o VerifyHostKeyDNS=yes example.com
  debug1: Server host key: RSA 1e:c8:2d:20:c7:dc:9b:10:1d:5b:85:bd:4c:95:9a:43
  DNS lookup error: name does not exist
  The authenticity of host 'example.com (192.0.43.10)' can't be established.

That "DNS lookup error: name does not exist" tells me in that I do not
have sshfp records.

Perhaps with more verbosity (adding -v) you will have a similarly
information message?

Bob

Attachment: signature.asc
Description: Digital signature


Reply to: