Skip to main content

SSHFP 🔑 is pretty cool

Recently, a colleague told me about the existance of SSHFP DNS records. A way to verify that you’re actually connecting to the host you’re expecting to connect to.

Here’s how you can set it up for yourself:

1: Run this command

➜  ~ ssh-keygen -r $hostname

2: ??? \ 3: Profit!

In all seriousness: you’re now going to see the records you need to add that are specific to the server you ran the command on. It looks something like this:

➜  ~ ssh-keygen -r hostname
$hostname IN SSHFP 1 1 248f6e09680051402d5af9969e60fd98b9c450b0
$hostname IN SSHFP 1 2 805c6650b08557f5ed1e6531c3ebc07afcf9bbc29c5e36c182bb6de743cfa36b
$hostname IN SSHFP 3 1 f52ae9025dfc9cce8f866a0f790d519b62548f18
$hostname IN SSHFP 3 2 45f20a72ed584d60b99c74638514d666fd3068b0c672f08ef07474254c104bfe
$hostname IN SSHFP 4 1 a25c8e3c6436ff9f03f876ce587525051da556e5
$hostname IN SSHFP 4 2 ac184dabf51f85e1e83c670fb7792827dd497a61dac9cd29e681f301db128e9a

After you’ve added these to your DNS server. Configure your SSH client so it actually checks for SSHFP records. You can do this by editing ssh_config

➜  ~ sudo vim /etc/ssh/ssh_config

and adding this to the bottom of that file.

VerifyHostKeyDNS yes

The next time you try to connect to a host, you’ll see something like this:

➜  ~ ssh superawesomehost
The authenticity of host '[superawesomehost]:22 ([]:22)' can't be established.
ECDSA key fingerprint is SHA256:d9KNsAC3G1bFFtxY2vfDYa8n8j3XCe/gmj6KzUETXaY.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

That’s it! Have fun or whatever.