SSHFP record

A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.

Structure

<span class="nowrap">⟨Name⟩</span> [<span class="nowrap">⟨[[Time to Live|TTL]]⟩</span>] [<span class="nowrap">⟨Class⟩</span>] SSHFP <span class="nowrap">⟨[[Algorithm]]⟩</span> <span class="nowrap">⟨Type⟩</span> <span class="nowrap">⟨[[Hash function|Fingerprint]]⟩</span>
Name
The name of the object to which the resource record belongs (optional)
TTL
Time to live (in seconds). Validity of Resource Records (optional)
Class
Protocol group to which the resource record belongs (optional)
Algorithm
Algorithm (0: reserved; 1: RSA;[1] 2: DSA,[1] 3: ECDSA;[2] 4: Ed25519[3] 6:Ed448;[4])
Type
Algorithm used to hash the public key (0: reserved; 1: SHA-1;[1] 2: SHA-256[2])
Fingerprint
Hexadecimal representation of the hash result, as text

Example

host.example.com.  SSHFP 4 2 123456789abcdef67890123456789abcdef67890123456789abcdef123456789

In this example, the host with the domain name host.example.com uses a Ed25519 key with the SHA-256 fingerprint 123456789abcdef67890123456789abcdef67890. This output would be produced by a ssh-keygen -r host.example.com. command on the target server by reading the existing default SSH host key (Ed25519).[5]

With the OpenSSH suite, the ssh-keyscan utility can be used to determine the fingerprint of a host's key; using the -D will print out the SSHFP record directly.[6]

See also

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.