Re: sshfp records

To: debian-user@lists.debian.org
Subject: Re: sshfp records
From: Brad Alexander <storm16@gmail.com>
Date: Tue, 22 Jan 2013 16:01:37 -0500
Message-id: <[🔎] CAKmZw+Y+dHARQc9qP9wmgpD3MYyw+BmXmQWz3ad_gbwKKiTNAg@mail.gmail.com>
In-reply-to: <[🔎] 20130122182055.GC11290@hysteria.proulx.com>
References: <[🔎] CAKmZw+Z3mPKi8oyaqA-4=UX=Xv=JciA+K6LPcZwF3c_gfPKMQQ@mail.gmail.com> <[🔎] 20130122182055.GC11290@hysteria.proulx.com>

Rookie mistake from messing with this too late at night. Apparently it
only works with fully qualified domain names (therefore working more
like dig than host):

$ ssh -o VerifyHostKeyDNS=yes user@host
The authenticity of host 'host (192.168.1.52)' can't be established.
RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a.
No matching host key fingerprint found in DNS.

$ ssh -o VerifyHostKeyDNS=yes user@host.example.com
The authenticity of host 'host.example.com (192.168.1.52)' can't be established.
RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a.
Matching host key fingerprint found in DNS.

Not sure how I'm going to work around this. I may just dispense with
sshfp records for the time being, unless something jumps out at me.

--b
On Tue, Jan 22, 2013 at 1:20 PM, Bob Proulx <bob@proulx.com> wrote:
> Brad Alexander wrote:
>> Has anyone worked with sshfp records for openssh?
>
> No.  But I do have a suggestion.
>
>> I generated sshfp records:
>>
>> <host> IN SSHFP 1 1 5490056a2208c8ad2cf869f5c06470450c8a017a
>> <host> IN SSHFP 2 1 18aef47bc01264709f25ac9daebed236b45b6b45
>>
>> but when I ssh into the host (after deleting the records from
>> .ssh/known_hosts), I get:
>>
>> $ ssh -o VerifyHostKeyDNS=yes <user>@<host>
>> The authenticity of host 'janeway (192.168.224.52)' can't be established.
>> RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a.
>> No matching host key fingerprint found in DNS.
>> Are you sure you want to continue connecting (yes/no)?
>>
>> Anyone got any idea why the key fingerprints aren't matching up?
>
> Add more verbosity to the command.  For example I see:
>
>   $ ssh -v -o VerifyHostKeyDNS=yes example.com
>   debug1: Server host key: RSA 1e:c8:2d:20:c7:dc:9b:10:1d:5b:85:bd:4c:95:9a:43
>   DNS lookup error: name does not exist
>   The authenticity of host 'example.com (192.0.43.10)' can't be established.
>
> That "DNS lookup error: name does not exist" tells me in that I do not
> have sshfp records.
>
> Perhaps with more verbosity (adding -v) you will have a similarly
> information message?
>
> Bob

Reply to:

Follow-Ups:
- Re: sshfp records
  - From: Bob Proulx <bob@proulx.com>

References:
- sshfp records
  - From: Brad Alexander <storm16@gmail.com>
- Re: sshfp records
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Moving from Debian Wheezy - 32bit to 64bit
Next by Date: Re: Client "daemon" for sorting e-mail via IMAP
Previous by thread: Re: sshfp records
Next by thread: Re: sshfp records
Index(es):
- Date
- Thread