Guides

Author

Leo Vandewoestijne

Publication date

Feb 22, 2024

Updated

Feb 22, 2024

The SSHFP record in DNS

Introduction

Why do I want the SSHFP record?
  - SSHFP enables the possibility to automize hostkey validation. This is usefull because human users are often too lazy to verify hostkey signatures on initiation of an SSH connection.

Why is DANE better than SSHFP?
  - Because DANE requires DNSSEC. Lookups of SSHFP hashes do not. This is due to the fact that the SSHFP was introduced before DNSSEC existed in a well-working way.

Why is SSHFP better than DANE?
  - Support for DANE is still experimental, while SSHFP is well supported.

Can't I use them both?
  - The two could easily coexist.

1. What is an SSHFP Record?

An SSHFP record is a DNS resource record that stores a fingerprint (hash) of your SSH server's public key. When combined with DNSSEC, SSHFP records allow SSH clients to verify that the host key provided by the server matches the trusted fingerprint in DNS. This helps defend against man-in-the-middle (MITM )attacks.

2. Generate an SSHFP Records

OpenSSH makes it easy to generate SSHFP records with the built-in command. Here's how:

1: Determine Your Hostname

Ensure your server has a fully qualified domain name in DNS, e.g., host.example.com.

2: Generate the SSHFP Record

Run the following command on your SSH server (as root or with appropriate permissions):

ssh-keygen -r host.example.com

This command will read your server's host keys (usually found in /etc/ssh/) and prints out their corresponding SSHFP records. The output will look something like:

host.example.com  IN SSHFP  1 1 0123456789abcdef0123456789abcdef01234567
host.example.com  IN SSHFP  4 2 E6927F680FD9FE1EF8A6100559EF2C7958677577500048322F73FDD18EF93D37

Explanation:

• Field 1: The algorithm number (1 for RSA, 2 for DSA, 3 for ECDSA, 4 for ED25519, etc.).
• Field 2: The fingerprint type (1 for SHA-1, 2 for SHA-256).
• Field 3: The hexadecimal fingerprint value.

3. Deploying the SSHFP Record in DNS

Edit Your DNS Zone File:

Log in to your DNS management console or edit your zone file for your domain.

Add the SSHFP Record(s):

Insert the generated SSHFP records into the zone file for your host. For example:

host.example.com.  IN SSHFP  1 1 0123456789abcdef0123456789abcdef01234567
host.example.com.  IN SSHFP  4 2 E6927F680FD9FE1EF8A6100559EF2C7958677577500048322F73FDD18EF93D37

You may have multiple records if your server has more than one host key type.

DNSSEC Signing:

To ensure the integrity and authenticity of your SSHFP records, sign your DNS zone with DNSSEC. Refer to your DNS provider's documentation or your own DNSSEC tooling (like dnssec-signzone for BIND) for instructions.

Reload/Update DNS:

Once the records are added and the zone is re-signed, reload your DNS server or allow your DNS provider to update the records.

Using SSHFP Records on the Client Side

Enable SSHFP Verification:

On the client machine, configure SSH to check SSHFP records by editing the SSH client configuration file (~/.ssh/config or /etc/ssh/ssh_config):

Host host.example.com
    VerifyHostKeyDNS yes

You could consider to make this parameter global.

Connecting to the SSH Server:

When you run:

ssh user@host.example.com

Then the SSH client will look up the SSHFP records for host.example.com and, if DNSSEC validation is working, compare the fingerprints to the one offered by the server. If they match, the client will trust the host key without prompting you to verify it manually.

Troubleshooting

Use verbose mode to see SSHFP verification details:

ssh -vvv user@host.example.com

Make sure your client's resolver supports DNSSEC or is configured to perform DNSSEC validation.

Final Considerations

Multiple Records

It's common to publish SSHFP records for all host key types your server supports. If the client is configured to verify them, it will check the record corresponding to the key type presented by the server.

DNSSEC Dependency

The security of SSHFP relies on DNSSEC. Without DNSSEC, an attacker could spoof DNS responses containing fake SSHFP records.

Regular Updates

If you ever change your host keys, be sure to regenerate and update your SSHFP records.

Conclusion

By following these steps, you can deploy SSHFP records to help secure your SSH connections via DNS-based host key verification. This not only improves security but also can streamline the first-time connection process for SSH clients. Enjoy the added layer of trust in your SSH setup!