NAME
sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan
SYNTAX
sshfp [-k [knownhosts_file]] [-d] [-a] | [<host1> [host2 ...]]
sshfp -s [-p <port>] [-d] <-a <domain> [@ns] | <host1> [host2 ...] >
DESCRIPTION
sshfp generates RFC4255 SSHFP DNS records based on the public keys
stored in a known_hosts file, which implies the user has previously
trusted this key, or public keys can be obtained by using ssh-keyscan
(1). Using ssh-keyscan (1) implies a secure path to connect to the
hosts being scanned. It also implies a trust in the DNS to obtain the
IP address of the hostname to be scanned. If the nameserver of the
domain allows zone tranfers (AXFR), an entire domain can be processed
for all its A records.
OPTIONS
-s / --scan <hostname1> [hostname2 ...]
Scan hosts or domain for public SSH keys using ssh-keyscan
-k / --knownhosts [knownhosts_file] <hostname1> [hostname2 ...]
Obtain public SSH keys from a known_hosts file. Defaults to
using ~/.ssh/known_hosts
-a / --all
Scan all hosts in the known_hosts file when used with -k. When
used with -s, it will attempt an zone transfer (AXFR) to obtain
all A records in the domain specified.
-d / --trailing-dot
Add a trailing dot to the hostname in the SSHFP records. It is
not possible to determine whether a known_hosts or dns query is
for a FQDN (eg www.xelerance.com) or not (eg www) or not (unless
-d domainname -a is used, in which case a trailing dot is always
appended). Non-FQDN get their domainname appended through
/etc/resolv.conf These non-FQDN will happen when using a
non-FQDN (eg sshfp -k www) or known_hosts entries obtained by
running ssh www.sub where .domain.com is implied. When -d is
used, all hostnames not ending with a dot, that at least contain
two parts in their hostname (eg www.sub but not www get a
trailing dot. Note that the output of sshfp can also just be
manually editted for trailing dots.
-o / --output <filename>
Write to filename instead of stdout
-p / --port <portnumber>
Use portnumber for scanning. Note that portnumbers do NOT appear
in SSHFP records.
-h / --help
Output help information and exit.
-v / --version
Output version information and exit.
FILES
~/.ssh/known_hosts
REQUIREMENTS
sshfp requires python-dns (http://www.pythondns.org)
Fedora: yum install python-dns
Debian: apt-get install python-dnspython
BUGS
if a domain contains non-working glue A records, then ssh-keyscan
aborts instead of skipping the single broken entry.
There is no facility to lookup hashed hostnames in known_hosts files
EXAMPLES
typical usage:
sshfp (implies -k -a)
sshfp -a -d (implies -k)
sshfp -k bofh.xelerance.com (from known_hosts)
sshfp -s bofh.xelerance.com (from a scan to the host)
sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com www.openswan.org -o
/tmp/mysshfp.txt
sshfp -a -d -d xelerance.com @ns0.xelerance.net >>
/var/named/primary/xelerance.com
SEE ALSO
ssh-keyscan(1) ssh(1) and RFC-4255
http://www.xelerance.com/software/sshfp/
http://lists.xelerance.com/mailman/listinfo/sshfp/
AUTHORS
Paul Wouters <paul@xelerance.com>, Jacob Appelbaum
<jacob@appelbaum.net>
COPYRIGHT
Copyright © 2006 Xelerance Corporation
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License (file COPYING in the distribution) for more
details.