Novell is now a part of Micro Focus

SSH Option VerifyHostKeyDNS

Novell Cool Solutions: Tip
By Arndt Stajta

Digg This - Slashdot This

Posted: 16 Nov 2006


Every time when a new SSH connection is established, the software asks for the fingerprint of the public key from the server.


This can be automated by a feature of OpenSSH and DNS.

Requirement: min. OpenSSh 3.4 or above
Min. BIND 9.3.0 or above

First you have to generate a server key, if it is not yet made, normally made during installation process.

Or check the key:

#ssh-keygen ?r hostname -f filename


ssh-keygen ?r host ?f /etc/ssh/ssh_host_dsa_key

You need this key in the BIND configuration best made with copy and paste.

The entry should look like:

host.example. IN A IP-Address
IN SSHFP 1 1 123456789abcdef67890123456789abcdef67890
IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890

For testing if DNS answers SSHFP requests:

# dig ?t SSHFP

To make a connection to the server there are two options:

#ssh -o "VerifyHostKeyDNS ask"

The user would be asked: yes or no.

Another option without asking, when the key is correct:

# ssh -o "VerifyHostKeyDNS yes"

The option VerifyHostKeyDNS could be set in the global setting of the configuration file of the ssh_config.

Source: Manual: ssh-keygen(1), ssh(1), ssh_config(5)
First seen in German MISC Magazin

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates