Article

Problem:

Every time when a new SSH connection is established, the software asks for the fingerprint of the public key from the server.

Solution:

This can be automated by a feature of OpenSSH and DNS.

Requirement: min. OpenSSh 3.4 or above
Min. BIND 9.3.0 or above

First you have to generate a server key, if it is not yet made, normally made during installation process.

Or check the key:

#ssh-keygen ?r hostname -f filename

Example:

ssh-keygen ?r host ?f /etc/ssh/ssh_host_dsa_key

You need this key in the BIND configuration best made with copy and paste.

The entry should look like:

host.example. IN A IP-Address
IN SSHFP 1 1 123456789abcdef67890123456789abcdef67890
IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890

For testing if DNS answers SSHFP requests:

# dig ?t SSHFP host.example.com

To make a connection to the server there are two options:

#ssh -o "VerifyHostKeyDNS ask" host.example.com

The user would be asked: yes or no.

Another option without asking, when the key is correct:

# ssh -o "VerifyHostKeyDNS yes" host.example.com

The option VerifyHostKeyDNS could be set in the global setting of the configuration file of the ssh_config.

Source:
Manual: ssh-keygen(1), ssh(1), ssh_config(5)
First seen in German MISC Magazin http://www.miscmag.com/
http://www.ietf.org/rfc/rfc4255.txt