sshfp 1.1.1 review
Downloadsshfp generates DNS SSHFP records from SSH public keys
|
|
sshfp generates DNS SSHFP records from SSH public keys. It can take public keys from a knownhosts file or from scanning the host's sshd daemon.
The ssh client can use these SSHFP records if you set "VerifyHostKeyDNS yes" in the file /etc/ssh/ssh_config.
SYNTAX
sshfp [-k [ knownhosts_file ]] [-a] | [ < hostname1 > [hostname2 ...]]
sshfp -s [ -a < domain > ] | [< hostname1 > [hostname2 ...]] [@ns]
OPTIONS
-s / --scan < hostname1 > [hostname2 ...]
Scan hosts or domain for public SSH keys using ssh-keyscan
-k / --knownhosts [knownhosts_file] < hostname1 > [hostname2 ...]
Obtain public SSH keys from a known_hosts file. Defaults to using
~/.ssh/known_hosts
-a / --all
Scan all hosts in the known_hosts file when used with -k. When used
with -s, it will attempt an zone transfer (AXFR) to obtain all A
records in the domain specified.
-t / --trailing-dot
Add a trailing dot to the hostname in the SSHFP records. It is not
possible to determine whether a known_hosts or dns query is for a
FQDN (eg [3]www.xelerance.com) or not (eg www) or not (unless -d
domainname -a is used, in which case a trailing dot is always
appended). Non-FQDN get their domainname appended through
/etc/resolv.conf These non-FQDN will happen when using a non-FQDN (eg
sshfp -k www) or known_hosts entries obtained by running ssh
[4]www.sub where .domain.com is implied. When -t is used, all
hostnames not ending with a dot, that at least contain two parts in
their hostname (eg [5]www.sub but not www get a trailing dot. Note
that the output of sshfp can also just be manually editted for
trailing dots.
-o / --output < filename >
Write to filename instead of stdout
-h / --help
Output help information and exit.
-v / --version
Output version information and exit.
Requirements:
python-dns
What's New in This Release:
sshfp was generating incorrect SHA1 fingerprints for SSHFP records.
There are some getopt parsing fixes.
sshfp 1.1.1 keywords