SSHFP record

A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.

Structure

⟨Name⟩ [⟨TTL⟩] [⟨Class⟩] SSHFP ⟨Algorithm⟩ ⟨Type⟩ ⟨Fingerprint⟩

⟨Name⟩: The name of the object to which the resource record belongs (optional)
⟨TTL⟩: Time to live (in seconds). Validity of Resource Records (optional)
⟨Class⟩: Protocol group to which the resource record belongs (optional)
⟨Algorithm⟩: Algorithm (0: reserved; 1: RSA;^[1] 2: DSA,^[1] 3: ECDSA;^[2] 4: Ed25519^[3] 6:Ed448;^[4])
⟨Type⟩: Algorithm used to hash the public key (0: reserved; 1: SHA-1;^[1] 2: SHA-256^[2])
⟨Fingerprint⟩: Hexadecimal representation of the hash result, as text

Example

host.example.com.  SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789

In this example, the host with the domain name host.example.com uses a Ed25519 key with the SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890. This output would be produced by a ssh-keygen -r host.example.com. command on the target server by reading the existing default SSH host key (Ed25519).^[5]

With the OpenSSH suite, the ssh-keyscan utility can be used to determine the fingerprint of a host's key; using the -D will print out the SSHFP record directly.^[6]

References

↑ ^1.0 ^1.1 ^1.2 Griffin, Wesley; Schlyter, Jakob (January 2006). "RFC 4255 — Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints". https://tools.ietf.org/html/rfc4255.
↑ ^2.0 ^2.1 Surý, Ondřej (April 2012). "RFC 6594 — Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records". https://tools.ietf.org/html/rfc6594.
↑ Moonesamy, S. (March 2015). "RFC 7479 — Using Ed25519 in SSHFP Resource Records". https://tools.ietf.org/html/rfc7479.
↑ Harris, Ben; Velvindron, Loganaden (February 2020). "RFC 8709 — Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol". https://tools.ietf.org/html/rfc8709.
↑ "ssh-keygen(1) - Linux manual page". https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html.
↑ "ssh-keyscan(1)". OpenBSD manual pages. https://man.openbsd.org/ssh-keyscan.1.

0.00

(0 votes)

Original source: https://en.wikipedia.org/wiki/SSHFP record. Read more

[RFC_4255-1] 1.0 ^1.1 ^1.2 Griffin, Wesley; Schlyter, Jakob (January 2006). "RFC 4255 — Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints". https://tools.ietf.org/html/rfc4255.

[RFC_6594-2] 2.0 ^2.1 Surý, Ondřej (April 2012). "RFC 6594 — Use of the SHA-256 Algorithm with RSA, Digital Signature Algorithm (DSA), and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records". https://tools.ietf.org/html/rfc6594.

[RFC_7479-3] Moonesamy, S. (March 2015). "RFC 7479 — Using Ed25519 in SSHFP Resource Records". https://tools.ietf.org/html/rfc7479.

[RFC_8709-4] Harris, Ben; Velvindron, Loganaden (February 2020). "RFC 8709 — Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol". https://tools.ietf.org/html/rfc8709.

[5] "ssh-keygen(1) - Linux manual page". https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html.

[6] "ssh-keyscan(1)". OpenBSD manual pages. https://man.openbsd.org/ssh-keyscan.1.

[1]

[2]

[3]

[4]

[5]

[6]

Anonymous

Search

SSHFP record

Namespaces

More

Page actions

Contents

Structure

Example

See also

References

Navigation

Navigation

Help

Translate

Wiki tools

Wiki tools

Anonymous

Search

SSHFP record

Structure

Example

See also

References

Navigation

Wiki tools

Page tools

Other projects

Categories