Trace: ssh-dnssec

Table of Contents

SSH - DNSSEC

Preface

This document will describe one of the possibilities how to manage SSH authentication of SSH Server on SSH Client site.

Before we will start I would like to make short summary of the way how SSH Server is managing his SSH keys.
- SSH Server is using same kind of key set like SSH Client.
- SSH Server doesn’t use any passphrase for his SSH keys (to prevent humane interruption during SSHd start)
- SSH Server is storing all his SSH keys in “ /etc/ssh/ssh_host_*key* ” location.
- In general we can say that 99,9999% of SSHd administrators are not even thinking about regular updating of SSH Server keys. The reason is that all SSH Clients are storing local copy of SSH Server public Key on SSH Client site(in “ ~/.ssh/known_hosts “). According to this in the case that SSH Server will update his keys all SSH Clients will need to update local copy of the SSH Server public key. (This will be root cause for many service calls).

According to this it is possible to use DNS service for validating of SSH Server public keys (with using “SSHFP” record). In this case we will use DNS zone file as a central SSH Server public key certificates authority that will be used instead of local “ ~/.ssh/known_hosts “ list at SSH Client site. As well this will provide us the possibility for regular updates of the SSH Server keys (transparently for all SSH Clients).

Important

All that you will see in this document will work as well with using standard DNS without DNSSEC. On another hand it is important to make sure that the DNS server that SSH Client will use is the only one that is authorized to provide this kind of information. According to this Please do not use this without DNSSEC.

SSHFP - Create a zone record

In this document I’m not going to describe how the DNS is working and how to maintain DNS. For this document I’m going to use Bind DNS server as it is most popular open source DNS server.

In this document I’m not going to describe how the DNS is working and how to maintain DNS. For this document I’m going to use Bind DNS server as it is most popular open source DNS server. 

[root@SSH_Server ~]#  ssh-keygen -r SSH_Server
SSH_Server IN SSHFP 1 1 2edcb598114820336938e39e46e9daf04db90322
SSH_Server IN SSHFP 2 1 ff9ddf4d45d93c8c7b84f8103bb9c47bdfc49ebc

DNS Zone update

In this point we will need to add created SSH key certificate directly in to DNS Zone file where is the server:
- A record (translation from FQDN to IP) maintained. In the case that SSH Client will use FQDN for server access this DNS Zone file will be checked for SSH Server certificate.
- PTR record (translation from IP to FQDN) maintained. In the case that SSH Client will use IP for server access this DNS Zone file will be checked for SSH Server certificate. (just please replace the “SSH_Server” name to IP of the server (in the DNS Zone record or use “ ssh-keygen –r <IP> “).

In general I would say that most of the SSH Clients will use FQDN for SSH Server access. Any way we will need to make sure that as well the access with the SSH Server IP is working correctly. 

[root@DNS_Server zone]# cat example.com.db                                      # This is just an example
$TTL    86400
@               IN SOA  example.com root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                IN NS           example.com.
                IN A            10.0.0.53
SSH_Server      IN A            10.0.0.3
SSH_Server      IN SSHFP 1 1 2edcb598114820336938e39e46e9daf04db90322
SSH_Server      IN SSHFP 2 1 ff9ddf4d45d93c8c7b84f8103bb9c47bdfc49ebc

Test the new DNS record

For testing of stored SSHFP records in DNS you can use command: “ dig +dnssec <FQDN_or_IP_of_SSH_Server > SSHFP ” 

[root@SSH_Client ~]# dig +dnssec ssh_server.example.com SSHFP

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> +dnssec ssh_server.example.com SSHFP
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56881
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; ANSWER SECTION:
ssh_server.example.com.           86400   IN      SSHFP   1 1 2EDCB598114820336938E39E46E9DAF04DB90322
ssh_server.example.com.           86400   IN      SSHFP   2 1 FF9DDF4D45D93C8C7B84F8103BB9C47BDFC49EBC

SSH Client configuration

All SSH Clients are configured to use local stored SSH Server public Key stored in “ ~/.ssh/known_hosts “. In this case we will prevent to use this file and primary to use DNS Zone records for SSH Server verification.

To configure client please add in to “ ~/.ssh/config ” or “ /etc/ssh/ssh_config ” file: 

VerifyHostKeyDNS yes
HostKeyAlgorithms ssh-rsa,ssh-dss

You are here: start » wiki » infrastructure_tools » ssh » ssh-dnssec

Navigation

Infrastructure Tools
- Nagios
- Netdisco
- NTP
- SNMP
- SSH
- WMI

OS
- CentOS
- Slackware
- HP Unix

HW
- Cables
- WI-FI / WLAN

Programming Languages
- AWK
- Expect
- Perl
- Shell

Philosophy
- Philosophy

Print/export
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-dnssec (generated for current page)