1SSHFP(1)                        Internet / DNS                        SSHFP(1)
2
3
4

NAME

6       sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan
7

SYNTAX

9       sshfp [-k <knownhosts_file>] [-d] [-a] [--type <algo>] [--digest
10       <digest>] [<host1> [host2 ...]]
11
12       sshfp -s [-p <port>] [-d] [-a] [--type <algo>] [--digest <digest>] [-n
13       <nameserver>] <domain1> [domain2] <host1> [host2 ...] >
14

DESCRIPTION

16       sshfp generates RFC-4255 SSHFP DNS records based on the public keys
17       stored in a known_hosts file, which implies the user has previously
18       trusted this key, or public keys can be obtained by using ssh-keyscan
19       (1). Using ssh-keyscan (1) implies a secure path to connect to the
20       hosts being scanned. It also implies a trust in the DNS to obtain the
21       IP address of the hostname to be scanned. If the nameserver of the
22       domain allows zone tranfers (AXFR), an entire domain can be processed
23       for all its A records.
24

OPTIONS

26       -s / --scan <hostname1> [hostname2 ...]
27           Scan hosts or domain for public SSH keys using ssh-keyscan
28
29       -k / --knownhosts <knownhosts_file> <hostname1> [hostname2 ...]
30           Obtain public SSH keys from a known_hosts file. Defaults to using
31           ~/.ssh/known_hosts
32
33       -a / --all
34           Scan all hosts in the known_hosts file when used with -k. When used
35           with -s, it will attempt an zone transfer (AXFR) to obtain all A
36           records in the domain specified.
37
38       -d / --trailing-dot
39           Add a trailing dot to the hostname in the SSHFP records. It is not
40           possible to determine whether a known_hosts or dns query is for a
41           FQDN (eg www.redhat.com) or not (eg www) or not (unless -d
42           domainname -a is used, in which case a trailing dot is always
43           appended). Non-FQDN get their domainname appended through
44           /etc/resolv.conf These non-FQDN will happen when using a non-FQDN
45           (eg sshfp -k www) or known_hosts entries obtained by running ssh
46           www.sub where .domain.com is implied. When -d is used, all
47           hostnames not ending with a dot, that at least contain two parts in
48           their hostname (eg www.sub but not www get a trailing dot. Note
49           that the output of sshfp can also just be manually editted for
50           trailing dots.
51
52       -o / --output <filename>
53           Write to filename instead of stdout
54
55       -p / --port <portnumber>
56           Use portnumber for scanning. Note that portnumbers do NOT appear in
57           SSHFP records.
58
59       -h / --help
60           Output help information and exit.
61
62       -v / --version
63           Output version information and exit.
64
65       -q / --quiet
66           Output less miscellany to stderr
67

FILES

69       ~/.ssh/known_hosts
70

REQUIREMENTS

72       sshfp requires python-dns (http://www.pythondns.org)
73
74       Fedora: yum install python-dns
75
76       Debian: apt-get install python-dnspython
77

BUGS

79       if a domain contains non-working glue A records, then ssh-keyscan
80       aborts instead of skipping the single broken entry.
81
82       This program can look up hashed hostnames in a known_hosts file if a
83       recent-enough ssh-keygen is present
84

EXAMPLES

86       typical usage:
87
88       sshfp (implies -k -a)
89
90       sshfp -a -d (implies -k)
91
92       sshfp -k bofh.nohats.ca (from known_hosts)
93
94       sshfp -s bofh.nohats.ca (from a scan to the host)
95
96       sshfp -k ~paul/.ssh/known_hosts bofh.nohats.ca www.openswan.org -o
97       /tmp/mysshfp.txt
98
99       sshfp -a -d -d nohats.ca -n ns0.nohats.ca >>
100       /var/named/primary/nohats.ca
101

SEE ALSO

103       ssh-keyscan(1)ssh(1)tlsa(1) and RFC-4255
104

AUTHORS

106       Paul Wouters <pwouters@redhat.com>, Jacob Appelbaum
107       <jacob@appelbaum.net>, James Brown <jbrown@yelp.com>
108
110       Copyright 2006-2010 Xelerance Corporation
111
112       Copyright 2012 Paul Wouters
113
114       This program is free software; you can redistribute it and/or modify it
115       under the terms of the GNU General Public License as published by the
116       Free Software Foundation; either version 2 of the License, or (at your
117       option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
118
119       This program is distributed in the hope that it will be useful, but
120       WITHOUT ANY WARRANTY; without even the implied warranty of
121       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
122       General Public License (file COPYING in the distribution) for more
123       details.
124
125
126
127Paul Wouters                    January 2, 2015                       SSHFP(1)
Impressum