1sshfp(1) Internet / DNS sshfp(1)
2
3
4
6 sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan
7
9 sshfp [-k [knownhosts_file]] [-a] | [<host1> [host2 ...]]
10 sshfp -s [-p <port>] <-a <domain> [@ns] | <host1> [host2 ...] >
11
13 sshfp generates RFC4255 SSHFP DNS records based on the public keys
14 stored in a known_hosts file, which implies the user has previously
15 trusted this key, or public keys can be obtained by using ssh-keyscan
16 (1). Using ssh-keyscan (1) implies a secure path to connect to the
17 hosts being scanned. It also implies a trust in the DNS to obtain the
18 IP address of the hostname to be scanned. If the nameserver of the
19 domain allows zone tranfers (AXFR), an entire domain can be processed
20 for all its A records.
21
23 -s / --scan <hostname1> [hostname2 ...]
24 Scan hosts or domain for public SSH keys using ssh-keyscan
25
26 -k / --knownhosts [knownhosts_file] <hostname1> [hostname2 ...]
27 Obtain public SSH keys from a known_hosts file. Defaults to
28 using ~/.ssh/known_hosts
29
30 -a / --all
31 Scan all hosts in the known_hosts file when used with -k. When
32 used with -s, it will attempt an zone transfer (AXFR) to obtain
33 all A records in the domain specified.
34
35 -t / --trailing-dot
36 Add a trailing dot to the hostname in the SSHFP records. It is
37 not possible to determine whether a known_hosts or dns query is
38 for a FQDN (eg www.xelerance.com) or not (eg www) or not (unless
39 -d domainname -a is used, in which case a trailing dot is always
40 appended). Non-FQDN get their domainname appended through
41 /etc/resolv.conf These non-FQDN will happen when using a
42 non-FQDN (eg sshfp -k www) or known_hosts entries obtained by
43 running ssh www.sub where .domain.com is implied. When -t is
44 used, all hostnames not ending with a dot, that at least contain
45 two parts in their hostname (eg www.sub but not www get a trail‐
46 ing dot. Note that the output of sshfp can also just be manually
47 editted for trailing dots.
48
49 -o / --output <filename>
50 Write to filename instead of stdout
51
52 -p / --port <portnumber>
53 Use portnumber for scanning. Note that portnumbers do NOT appear
54 in SSHFP records.
55
56 -h / --help
57 Output help information and exit.
58
59 -v / --version
60 Output version information and exit.
61
63 ~/.ssh/known_hosts
64
66 sshfp requires python-dns (http://www.pythondns.org)
67
68 Fedora: yum install python-dns
69
70 Debian: apt-get install python-dnspython
71
73 if a domain contains non-working glue A records, then ssh-keyscan
74 aborts instead of skipping the single broken entry.
75
76 There is no facility to lookup hashed hostnames in known_hosts files
77
79 typical usage:
80
81 sshfp (implies -k -a)
82
83 sshfp -a -t (implies -k)
84
85 sshfp -k bofh.xelerance.com (from known_hosts)
86
87 sshfp -s bofh.xelerance.com (from a scan to the host)
88
89 sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com www.openswan.org -o
90 /tmp/mysshfp.txt
91
92 sshfp -a -t -d xelerance.com @ns0.xelerance.net >> /var/named/pri‐
93 mary/xelerance.com
94
96 ssh-keyscan(1) ssh(1) and RFC-4255
97
98 http://www.xelerance.com/software/sshfp/
99
100 http://lists.xelerance.com/mailman/listinfo/sshfp/
101
103 Paul Wouters <paul@xelerance.com>, Jacob Appelbaum <jacob@appel‐
104 baum.net>
105
107 Copyright © 2006 Xelerance Corporation
108
109 This program is free software; you can redistribute it and/or modify it
110 under the terms of the GNU General Public License as published by the
111 Free Software Foundation; either version 2 of the License, or (at your
112 option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
113
114 This program is distributed in the hope that it will be useful, but
115 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
116 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
117 Public License (file COPYING in the distribution) for more details.
118
119
120
121Paul Wouters 1.1.2 sshfp(1)