1SSHFP(1) Internet / DNS SSHFP(1)
2
6 sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan
7
9 sshfp [-k <knownhosts_file>] [-d] [-a] [--type <algo>] [--digest
10 <digest>] [<host1> [host2 ...]]
11 sshfp -s [-p <port>] [-d] [-a] [--type <algo>] [--digest <digest>] [-n
13 <nameserver>] <domain1> [domain2] <host1> [host2 ...] >
14
16 sshfp generates RFC-4255 SSHFP DNS records based on the public keys
17 stored in a known_hosts file, which implies the user has previously
18 trusted this key, or public keys can be obtained by using ssh-keyscan
19 (1). Using ssh-keyscan (1) implies a secure path to connect to the
20 hosts being scanned. It also implies a trust in the DNS to obtain the
21 IP address of the hostname to be scanned. If the nameserver of the
22 domain allows zone transfers (AXFR), an entire domain can be processed
23 for all its A records.
24
26 -s / --scan <hostname1> [hostname2 ...]
27 Scan hosts or domain for public SSH keys using ssh-keyscan
28 -k / --knownhosts <knownhosts_file> <hostname1> [hostname2 ...]
30 Obtain public SSH keys from a known_hosts file. Defaults to using
31 ~/.ssh/known_hosts
32 -a / --all
34 Scan all hosts in the known_hosts file when used with -k. When used
35 with -s, it will attempt a zone transfer (AXFR) to obtain all A
36 records in the domain specified.
37 -d / --trailing-dot
39 Add a trailing dot to the hostname in the SSHFP records. It is not
40 possible to determine whether a known_hosts or dns query is for a
41 FQDN (eg www.redhat.com) or not (eg www) or not (unless -d
42 domainname -a is used, in which case a trailing dot is always
43 appended). Non-FQDN get their domainname appended through
44 /etc/resolv.conf These non-FQDN will happen when using a non-FQDN
45 (eg sshfp -k www) or known_hosts entries obtained by running ssh
46 www.sub where .domain.com is implied. When -d is used, all
47 hostnames not ending with a dot, that at least contain two parts in
48 their hostname (eg www.sub but not www get a trailing dot. Note
49 that the output of sshfp can also just be manually edited for
50 trailing dots.
51 -o / --output <filename>
53 Write to filename instead of stdout
54 -p / --port <portnumber>
56 Use portnumber for scanning. Note that portnumbers do NOT appear in
57 SSHFP records.
58 -h / --help
60 Output help information and exit.
61 -v / --version
63 Output version information and exit.
64 -q / --quiet
66 Output less miscellany to stderr
67
69 ~/.ssh/known_hosts
70
72 sshfp requires python-dns (http://www.pythondns.org)
73 Fedora: yum install python-dns
75 Debian: apt-get install python-dnspython
77
79 if a domain contains non-working glue A records, then ssh-keyscan
80 aborts instead of skipping the single broken entry.
81 This program can look up hashed hostnames in a known_hosts file if a
83 recent-enough ssh-keygen is present
84
86 typical usage:
87 sshfp (implies -k -a)
89 sshfp -a -d (implies -k)
91 sshfp -k bofh.nohats.ca (from known_hosts)
93 sshfp -s bofh.nohats.ca (from a scan to the host)
95 sshfp -k ~paul/.ssh/known_hosts bofh.nohats.ca www.openswan.org -o
97 /tmp/mysshfp.txt
98 sshfp -a -d -d nohats.ca -n ns0.nohats.ca >>
100 /var/named/primary/nohats.ca
101
103 ssh-keyscan(1)ssh(1)tlsa(1) and RFC-4255
104
106 Paul Wouters <pwouters@redhat.com>, Jacob Appelbaum
107 <jacob@appelbaum.net>, James Brown <jbrown@yelp.com>
108
110 Copyright 2006-2010 Xelerance Corporation
111 Copyright 2012 Paul Wouters
113 This program is free software; you can redistribute it and/or modify it
115 under the terms of the GNU General Public License as published by the
116 Free Software Foundation; either version 2 of the License, or (at your
117 option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
118 This program is distributed in the hope that it will be useful, but
120 WITHOUT ANY WARRANTY; without even the implied warranty of
121 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
122 General Public License (file COPYING in the distribution) for more
123 details.
124Paul Wouters January 2, 2015 SSHFP(1)