Saturday, January 15. 2011SSH key fingerprints in DNSSecure shell (SSH) is the workhorse of a UNIX system administrator. Due to its ability to secure connections, protect login details, provide authenticity and even tunnel traffic, SSH replaced telnet in the real world many years ago. Authenticity is not guaranteed, and for administrators working with a large farm of servers it's important to ensure you're talking to the server you really wanted, and not something that's moved into its place. SSH employs a private/public asymmetric keying system, keeping a private key closely guarded and using the public key to not only secure the connection but help prove that you're talking to the right server. Most SSH clients will allow you to remember the public key for a server after your first connection; ensuring subsequent connections are to the same server by revalidating a hash of this key, known as a “fingerprint”. To help validate the fingerprint on your first connection, you can store a fingerprint of the SSH server's public key in DNS for additional verification. Most UNIX systems these days automatically generate a new key-pair for the SSH server upon installation, or at least upon the first time the SSH server is started. If you're installing a SSH server like OpenSSH (originally developed for the OpenBSD project, but now easily the most popular SSH package available), you'll need to generate your own keys before starting the server. Some systems prebuild weak keys (presumably because they're faster to generate and use), so it could be useful to regenerate fresh keys with stronger properties (note that DSA keys can only be 1024-bit keys). To generate a new key-pair for OpenSSH using a 1024-bit DSA key and a 4096-bit RSA key, and then restart your SSH server, you can use the following commands (change as appropriate):
Once you have your keys generated, you'll want to store their fingerprints in DNS. This is done using SSHFP records of the following format: <hostname> IN SSHFP <key-type> <hash-type> <fingerprint> Where the hostname is your hostname (obviously), the key type is OpenSSH provides an easy way to extract the fingerprints from the key files. It's so easy because it even gives you the lines ready to be entered into straight into your DNS zone file. To extract all of your fingerprints, you can use the following command (change the filenames where appropriate, but this targets the public key files in most installations):
If your DNS server doesn't support the SSHFP DNS record type, you can add the your.host.name.here IN SSHFP 1 1 d9a0491e25eb1572f60ba46cca609842dc18bea4 your.host.name.here IN SSHFP 2 1 a5f4f0a939b5b52c75325fb0666f7ed6a2d78505 Most installations of OpenSSH don't seem to enable this by default. For testing, you can run OpenSSH like this:
And you should see something like this (notice the text in underline):
Once you have it working, you'll want to add Unfortunately the great and powerful PuTTY doesn't support this yet, and may not for some time to come. There are a few things left to remember, which seem obvious but could be forgotten:
Ultimately it's still best that you verify the public key fingerprint out-of-band (i.e. physically write it down while at the console of the server) and enter it into your This only plugs a small hole and doesn't suddenly make your installation secure enough to be used by international spies. Use it in conjunction with a well-planned security implementation. Trackbacks
Trackback specific URI for this entry
Comments
Display comments as
(Linear | Threaded)
No comments The author does not allow comments to this entry
|
Calendar
Creative Commons |