SSH Fingerprinting is a method to provide DNS records for key fingerprint verification of any client that logs into said machine.
Doing this will prevent users from blindly typing ‘yes’ when asked if they want to continue connecting to an SSH host who’s authenticity is unknown.
Most of the people just type ‘yes’ without even checking if it’s correct or not, which defeats the purpose of the prompt.
The fingerprint records together with DNSSEC will completely bypass the prompt and have SSH verify the fingerprint automatically.
If the authenticity of the host is unknown, you haven’t been logged in before or you have changed the fingerprint of the machine, you will be greeted by a very familiar prompt, and most users here will just type yes without even checking if really we are connecting to the correct machine.
$ ssh firstname.lastname@example.org The authenticity of host 'myserverplace.de (188.8.131.52)' can't be established. ECDSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk. Are you sure you want to continue connecting (yes/no)? Warning: Permanently added 'myserverplace.de' (ECDSA) to the list of known hosts.
Generating SSH Key Fingerpint records
If you want to generate the DNS records you need to login to the said server and run ssh-keygen to generate the records, and then add the relevant records to your DNS server.
$ ssh-keygen -r myserverplace.de myserverplace.de IN SSHFP 1 1 db744817e8d6ac2027e6629aac7f0fc1750f6588 myserverplace.de IN SSHFP 1 2 a61db02b9b26ca48663c3272821b451773c7cd1e9a412f5a09994ec8f8738c79 myserverplace.de IN SSHFP 2 1 493a9e6a4b5078b1d0c5424aecf817ea54e1dfdf myserverplace.de IN SSHFP 2 2 064b9dd10805069eb508bd087a37db61fda2107138924112ded3ccdbaafd6cb3 myserverplace.de IN SSHFP 3 1 7c4b9b9105d6a0d7aacf44534a7800fc10466683 myserverplace.de IN SSHFP 3 2 cb6493b10e1103ff1dbab86989cfa96fa52370ac33efe6d468a5f70b8d323869 myserverplace.de IN SSHFP 4 1 69ac080ccf6cd52f4788373bd4dca21731e69713 myserverplace.de IN SSHFP 4 2 7cae4ff942899f8e155bfc675e72e4146a1bf4107977fe73c6cffa8f3fda8fc3
Each line contains the following information
You should never use DSA or ECDSA, Ed25519 is probably the strongest mathematically (and also the fastest), but not yet widely supported. As a bonus, it has stronger encryption (password-protection) of the private key by default than other key types. RSA is the best bet if you can’t use Ed25519.
You shouldn’t use SHA-1 fingerprints as they are less secure.
After adding the DNS records you can check if they are present or not very simple
$ dig SSHFP +noadditional +noquestion +nocomments +nocmd +nostats myserverplace.de myserverplace.de. 10539 IN SSHFP 4 2 7CAE4FF942899F8E155BFC675E72E4146A1BF4107977FE73C6CFFA8F 3FDA8FC3 myserverplace.de. 10539 IN SSHFP 3 1 7C4B9B9105D6A0D7AACF44534A7800FC10466683 myserverplace.de. 10539 IN SSHFP 3 2 CB6493B10E1103FF1DBAB86989CFA96FA52370AC33EFE6D468A5F70B 8D323869 myserverplace.de. 10539 IN SSHFP 4 1 69AC080CCF6CD52F4788373BD4DCA21731E69713
You need to add VerifyHostKeyDNS to your ~/.ssh/config or your global /etc/ssh/ssh_config, if you set this property then SSH will try to validate host keys from DNS.
Host * VerifyHostKeyDNS yes
Connecting to SSH with SSHFP
Now if I connect to the server I get the following prompt, without DNSSEC you will still get a prompt, and Matching host key fingerprint found in DNS line in the output now.
$ ssh email@example.com The authenticity of host 'myserverplace.de (184.108.40.206)' can't be established. ECDSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
With DNSSEC in place it will not add a new entry in ~/.ssh/known_hosts, and will connect right away.