How to generate SSH Fingerprint DNS records

ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r hostname
ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r hostname

You can put the output to your dns zone.

To convert it to tinydns/djbdns style:

ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r hostname | perl -e 'while (defined($line = <STDIN>)) {
   my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $line;
   printf(":%s:44:\\%03o\\%03o",$host, $alg, $fptype);
   for (my $i = 0; $i < length($fp); $i += 2) { printf("\\%03o", hex substr($fp, $i, 2)); } 
   print ":\n"
   }'

One in all script

( [ -e /etc/ssh/ssh_host_rsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r `hostname` ;
  [ -e /etc/ssh/ssh_host_dsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r `hostname` ) | perl -e '
while (defined($line = <STDIN>)) {
   my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $line;
   printf(":%s:44:\\%03o\\%03o",$host, $alg, $fptype);
   for (my $i = 0; $i < length($fp); $i += 2) { printf("\\%03o", hex substr($fp, $i, 2)); } 
   print ":\n"
   }'

You can also generate SSHFP records from your known hosts file, using the command sshfp. This tool is included in Fedora, although you may need to run yum install sshfp to install it first. Then you can run:

sshfp -a

Or combined with the perl script:

sshfp -a | perl -e '
   while (defined($line = <STDIN>)) {
   my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $line;
   printf(":%s:44:\\%03o\\%03o",$host, $alg, $fptype);
   for (my $i = 0; $i < length($fp); $i += 2) { printf("\\%03o", hex substr($fp, $i, 2)); } 
   print ":\n"
   }
'

Client configuration

SSH Fingerprints are useless if your client simply ignores them. Add the following line to /etc/ssh/ssh_config:

VerifyHostKeyDNS yes

Python

When Perl is not available, you can switch to using this python script:

( [ -e /etc/ssh/ssh_host_rsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r `hostname` ;
  [ -e /etc/ssh/ssh_host_dsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r `hostname` ) | python -c '
import sys
import re
 
line = sys.stdin.readline()
while line:
        pat=re.split(" |\n",line)
        sys.stdout.write( ":%s:44:\\%03o\%03o" % ( pat[0], int(pat[3]), int(pat[4])) )
        for i in range(0, len(pat[5])/2):
                sys.stdout.write( "\%03o" % int("0x"+pat[5][i*2]+pat[5][i*2+1],16) )
        sys.stdout.write(":\n")
        line = sys.stdin.readline()
'

Awk

And finally a awk version:

( [ -e /etc/ssh/ssh_host_rsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r `hostname` ;
  [ -e /etc/ssh/ssh_host_dsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r `hostname` ) | \
                awk '{ printf ":" $1 ":44:\\%03o\\%03o", $4, $5;
                        for ( i=1; i<=length($6); i+=2 ){
                                printf "\\%03o", strtonum("0x" substr($6,i,2))
                        }
                print ":" }'
© GeekLabInfo How to generate SSH Fingerprint DNS records is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Leave a Reply