Verifying SSH Key Fingerprints with DNS records

SSH Fingerprinting is a method to provide DNS records for key fingerprint verification of any client that logs into said machine.

Doing this will prevent users from blindly typing ‘yes’ when asked if they want to continue connecting to an SSH host who’s authenticity is unknown.

Most of the people just type ‘yes’ without even checking if it’s correct or not, which defeats the purpose of the prompt.

The fingerprint records together with DNSSEC will completely bypass the prompt and have SSH verify the fingerprint automatically.

If the authenticity of the host is unknown, you haven’t been logged in before or you have changed the fingerprint of the machine, you will be greeted by a very familiar prompt, and most users here will just type yes without even checking if really we are connecting to the correct machine.

$ ssh root@myserverplace.de
The authenticity of host 'myserverplace.de (148.251.100.157)' can't be established.
ECDSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added 'myserverplace.de' (ECDSA) to the list of known hosts.

Generating SSH Key Fingerpint records

If you want to generate the DNS records you need to login to the said server and run ssh-keygen to generate the records, and then add the relevant records to your DNS server.

$ ssh-keygen -r myserverplace.de
myserverplace.de IN SSHFP 1 1 db744817e8d6ac2027e6629aac7f0fc1750f6588
myserverplace.de IN SSHFP 1 2 a61db02b9b26ca48663c3272821b451773c7cd1e9a412f5a09994ec8f8738c79
myserverplace.de IN SSHFP 2 1 493a9e6a4b5078b1d0c5424aecf817ea54e1dfdf
myserverplace.de IN SSHFP 2 2 064b9dd10805069eb508bd087a37db61fda2107138924112ded3ccdbaafd6cb3
myserverplace.de IN SSHFP 3 1 7c4b9b9105d6a0d7aacf44534a7800fc10466683
myserverplace.de IN SSHFP 3 2 cb6493b10e1103ff1dbab86989cfa96fa52370ac33efe6d468a5f70b8d323869
myserverplace.de IN SSHFP 4 1 69ac080ccf6cd52f4788373bd4dca21731e69713
myserverplace.de IN SSHFP 4 2 7cae4ff942899f8e155bfc675e72e4146a1bf4107977fe73c6cffa8f3fda8fc3

Each line contains the following information

#HostnameAlgorithmFingerprint TypeHash
1myserverplace.deRSASHA-1db744817e8d6ac2027e6629aac7f0fc1750f6588
2myserverplace.deRSASHA-2a61db02b9b26ca48663c3272821b451773c7cd1e9a412f5a09994ec8f8738c79
3myserverplace.deDSASHA-1493a9e6a4b5078b1d0c5424aecf817ea54e1dfdf
4myserverplace.deDSASHA-2064b9dd10805069eb508bd087a37db61fda2107138924112ded3ccdbaafd6cb3
5myserverplace.deECDSASHA-17c4b9b9105d6a0d7aacf44534a7800fc10466683
6myserverplace.deECDSASHA-2cb6493b10e1103ff1dbab86989cfa96fa52370ac33efe6d468a5f70b8d323869
7myserverplace.deED25519SHA-169ac080ccf6cd52f4788373bd4dca21731e69713
8myserverplace.deED25519SHA-27cae4ff942899f8e155bfc675e72e4146a1bf4107977fe73c6cffa8f3fda8fc3

Algorithm

  1. RSA
  2. DSA
  3. ECDSA
  4. ED25519

You should never use DSA or ECDSA, Ed25519 is probably the strongest mathematically (and also the fastest), but not yet widely supported. As a bonus, it has stronger encryption (password-protection) of the private key by default than other key types. RSA is the best bet if you can’t use Ed25519.

Fingerprint type

  1. SHA-1
  2. SHA-2

You shouldn’t use SHA-1 fingerprints as they are less secure.

DNS Records

After adding the DNS records you can check if they are present or not very simple

$ dig SSHFP +noadditional +noquestion +nocomments +nocmd +nostats myserverplace.de
myserverplace.de.	10539	IN	SSHFP	4 2 7CAE4FF942899F8E155BFC675E72E4146A1BF4107977FE73C6CFFA8F 3FDA8FC3
myserverplace.de.	10539	IN	SSHFP	3 1 7C4B9B9105D6A0D7AACF44534A7800FC10466683
myserverplace.de.	10539	IN	SSHFP	3 2 CB6493B10E1103FF1DBAB86989CFA96FA52370AC33EFE6D468A5F70B 8D323869
myserverplace.de.	10539	IN	SSHFP	4 1 69AC080CCF6CD52F4788373BD4DCA21731E69713

SSH Client

You need to add VerifyHostKeyDNS to your ~/.ssh/config or your global /etc/ssh/ssh_config, if you set this property then SSH will try to validate host keys from DNS.

Host *
    VerifyHostKeyDNS yes

Connecting to SSH with SSHFP

Now if I connect to the server I get the following prompt, without DNSSEC you will still get a prompt, and Matching host key fingerprint found in DNS line in the output now.

$ ssh root@myserverplace.de
The authenticity of host 'myserverplace.de (148.251.100.157)' can't be established.
ECDSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

With DNSSEC in place it will not add a new entry in ~/.ssh/known_hosts, and will connect right away.

References

  1. Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
  2. ECDSA and SHA-256 Algorithms for SSHFP
  3. Using ED25519 in SSHFP Resource Records