Differences

This shows you the differences between two versions of the page.

Link to this comparison view

wiki:infrastructure_tools:ssh:ssh-dnssec [2014/03/17 14:40] (current)
Line 1: Line 1:
 +====== SSH - DNSSEC ======
 +
 +===== Preface =====
 +
 +This document will describe one of the possibilities how to manage SSH authentication of SSH Server on SSH Client site.
 +
 +Before we will start I would like to make short summary of the way how SSH Server is managing his SSH keys. \\
 +- SSH Server is using same kind of key set like SSH Client. \\
 +- SSH Server doesn’t use any passphrase for his SSH keys (to prevent humane interruption during SSHd start)\\
 +- SSH Server is storing all his SSH keys in “ /​etc/​ssh/​ssh_host_<​nowiki>​*</​nowiki>​key<​nowiki>​*</​nowiki>​ ” location. \\
 +- In general we can say that 99,9999% of SSHd administrators are not even thinking about regular updating of SSH Server keys. The reason is that all SSH Clients are storing local copy of SSH Server public Key on SSH Client site(in “ ~/​.ssh/​known_hosts “). According to this in the case that SSH Server will update his keys all SSH Clients will need to update local copy of the SSH Server public key. (This will be root cause for many service calls).
 +
 +According to this it is possible to use DNS service for validating of SSH Server public keys (with using “SSHFP” record). In this case we will use DNS zone file as a central SSH Server public key certificates authority that will be used instead of local “ ~/​.ssh/​known_hosts “ list at SSH Client site. As well this will provide us the possibility for regular updates of the SSH Server keys (transparently for all SSH Clients).
 +
 +===== Important =====
 +
 +All that you will see in this document will work as well with using standard DNS without DNSSEC. On another hand it is important to make sure that the DNS server that SSH Client will use is the only one that is authorized to provide this kind of information. According to this Please do not use this without DNSSEC.
 +
 +===== SSHFP - Create a zone record =====
 +
 +In this document I’m not going to describe how the DNS is working and how to maintain DNS. For this document I’m going to use Bind DNS server as it is most popular open source DNS server.
 +
 +In this document I’m not going to describe how the DNS is working and how to maintain DNS. For this document I’m going to use Bind DNS server as it is most popular open source DNS server.
 +
 +<​code>​
 +[root@SSH_Server ~]#  ssh-keygen -r SSH_Server
 +SSH_Server IN SSHFP 1 1 2edcb598114820336938e39e46e9daf04db90322
 +SSH_Server IN SSHFP 2 1 ff9ddf4d45d93c8c7b84f8103bb9c47bdfc49ebc
 +</​code>​
 +
 +===== DNS Zone update =====
 +
 +In this point we will need to add created SSH key certificate directly in to DNS Zone file where is the server:\\
 +- A record (translation from FQDN to IP) maintained. In the case that SSH Client will use FQDN for server access this DNS Zone file will be checked for SSH Server certificate.\\
 +- PTR record (translation from IP to FQDN) maintained. In the case that SSH Client will use IP for server access this DNS Zone file will be checked for SSH Server certificate. (just please replace the “SSH_Server” name to IP of the server (in the DNS Zone record or use “ ssh-keygen –r <IP> “).\\
 +\\
 +In general I would say that most of the SSH Clients will use FQDN for SSH Server access. Any way we will need to make sure that as well the access with the SSH Server IP is working correctly.
 +
 +<​code>​
 +[root@DNS_Server zone]# cat example.com.db ​                                     # This is just an example
 +$TTL    86400
 +@               IN SOA  example.com root (
 +                                        42              ; serial (d. adams)
 +                                        3H              ; refresh
 +                                        15M             ; retry
 +                                        1W              ; expiry
 +                                        1D )            ; minimum
 +                IN NS           ​example.com.
 +                IN A            10.0.0.53
 +SSH_Server ​     IN A            10.0.0.3
 +SSH_Server ​     IN SSHFP 1 1 2edcb598114820336938e39e46e9daf04db90322
 +SSH_Server ​     IN SSHFP 2 1 ff9ddf4d45d93c8c7b84f8103bb9c47bdfc49ebc
 +</​code>​
 +
 +===== Test the new DNS record =====
 +
 +For testing of stored SSHFP records in DNS you can use command: “ dig +dnssec <​FQDN_or_IP_of_SSH_Server > SSHFP ”
 +<​code>​
 +[root@SSH_Client ~]# dig +dnssec ssh_server.example.com SSHFP
 +
 +; <<>>​ DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>>​ +dnssec ssh_server.example.com SSHFP
 +;; global options: +cmd
 +;; Got answer:
 +;; ->>​HEADER<<​- opcode: QUERY, status: NOERROR, id: 56881
 +;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
 +
 +;; ANSWER SECTION:
 +ssh_server.example.com. ​          ​86400 ​  ​IN ​     SSHFP   1 1 2EDCB598114820336938E39E46E9DAF04DB90322
 +ssh_server.example.com. ​          ​86400 ​  ​IN ​     SSHFP   2 1 FF9DDF4D45D93C8C7B84F8103BB9C47BDFC49EBC
 +</​code>​
 +
 +=====   =====
 +
 +===== SSH Client configuration =====
 +
 +All SSH Clients are configured to use local stored SSH Server public Key stored in “ ~/​.ssh/​known_hosts “. In this case we will prevent to use this file and primary to use DNS Zone records for SSH Server verification.
 +
 +To configure client please add in to “  ~/​.ssh/​config ” or " /​etc/​ssh/​ssh_config ” file:
 +
 +<​code>​
 +VerifyHostKeyDNS yes
 +HostKeyAlgorithms ssh-rsa,​ssh-dss
 +</​code>​
 +
 +=====   =====
  
Navigation
Print/export
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-dnssec (generated for current page)