1sshfp(1)                        Internet / DNS                        sshfp(1)
2
3
4

NAME

6       sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan
7

SYNTAX

9       sshfp [-k [knownhosts_file]] [-a] | [<host1> [host2 ...]]
10       sshfp -s [-p <port>] <-a <domain> [@ns] | <host1> [host2 ...] >
11

DESCRIPTION

13       sshfp  generates  RFC4255  SSHFP  DNS  records based on the public keys
14       stored in a known_hosts file, which implies  the  user  has  previously
15       trusted  this  key, or public keys can be obtained by using ssh-keyscan
16       (1). Using ssh-keyscan (1) implies a secure  path  to  connect  to  the
17       hosts  being scanned.  It also implies a trust in the DNS to obtain the
18       IP address of the hostname to be scanned.  If  the  nameserver  of  the
19       domain  allows  zone tranfers (AXFR), an entire domain can be processed
20       for all its A records.
21

OPTIONS

23       -s / --scan <hostname1> [hostname2 ...]
24              Scan hosts or domain for public SSH keys using ssh-keyscan
25
26       -k / --knownhosts [knownhosts_file] <hostname1> [hostname2 ...]
27              Obtain public SSH keys from  a  known_hosts  file.  Defaults  to
28              using ~/.ssh/known_hosts
29
30       -a / --all
31              Scan  all  hosts in the known_hosts file when used with -k. When
32              used with -s, it will attempt an zone transfer (AXFR) to  obtain
33              all A records in the domain specified.
34
35       -t / --trailing-dot
36              Add  a trailing dot to the hostname in the SSHFP records.  It is
37              not possible to determine whether a known_hosts or dns query  is
38              for a FQDN (eg www.xelerance.com) or not (eg www) or not (unless
39              -d domainname -a is used, in which case a trailing dot is always
40              appended).   Non-FQDN  get  their  domainname  appended  through
41              /etc/resolv.conf  These  non-FQDN  will  happen  when  using   a
42              non-FQDN  (eg  sshfp  -k www) or known_hosts entries obtained by
43              running ssh www.sub where .domain.com is implied.   When  -t  is
44              used, all hostnames not ending with a dot, that at least contain
45              two parts in their hostname (eg www.sub but not www get a trail‐
46              ing dot. Note that the output of sshfp can also just be manually
47              editted for trailing dots.
48
49       -o / --output <filename>
50              Write to filename instead of stdout
51
52       -p / --port <portnumber>
53              Use portnumber for scanning. Note that portnumbers do NOT appear
54              in SSHFP records.
55
56       -h / --help
57              Output help information and exit.
58
59       -v / --version
60              Output version information and exit.
61

FILES

63       ~/.ssh/known_hosts
64

REQUIREMENTS

66       sshfp requires python-dns (http://www.pythondns.org)
67
68       Fedora: yum install python-dns
69
70       Debian: apt-get install python-dnspython
71

BUGS

73       if  a  domain  contains  non-working  glue  A records, then ssh-keyscan
74       aborts instead of skipping the single broken entry.
75
76       There is no facility to lookup hashed hostnames in known_hosts files
77

EXAMPLES

79       typical usage:
80
81       sshfp (implies -k -a)
82
83       sshfp -a -t (implies -k)
84
85       sshfp -k bofh.xelerance.com (from known_hosts)
86
87       sshfp -s bofh.xelerance.com (from a scan to the host)
88
89       sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com www.openswan.org  -o
90       /tmp/mysshfp.txt
91
92       sshfp  -a  -t  -d  xelerance.com  @ns0.xelerance.net >> /var/named/pri‐
93       mary/xelerance.com
94

SEE ALSO

96       ssh-keyscan(1) ssh(1) and RFC-4255
97
98       http://www.xelerance.com/software/sshfp/
99
100       http://lists.xelerance.com/mailman/listinfo/sshfp/
101

AUTHORS

103       Paul  Wouters  <paul@xelerance.com>,  Jacob   Appelbaum   <jacob@appel‐
104       baum.net>
105
107       Copyright © 2006 Xelerance Corporation
108
109       This program is free software; you can redistribute it and/or modify it
110       under the terms of the GNU General Public License as published  by  the
111       Free  Software Foundation; either version 2 of the License, or (at your
112       option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
113
114       This program is distributed in the hope that it  will  be  useful,  but
115       WITHOUT  ANY  WARRANTY;  without  even  the  implied  warranty  of MER‐
116       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU  General
117       Public License (file COPYING in the distribution) for more details.
118
119
120
121Paul Wouters                         1.1.2                            sshfp(1)
Impressum