ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r hostname ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r hostname |
You can put the output to your dns zone.
To convert it to tinydns/djbdns style:
ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r hostname | perl -e 'while (defined($line = <STDIN>)) { my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $line; printf(":%s:44:\\%03o\\%03o",$host, $alg, $fptype); for (my $i = 0; $i < length($fp); $i += 2) { printf("\\%03o", hex substr($fp, $i, 2)); } print ":\n" }' |
One in all script
( [ -e /etc/ssh/ssh_host_rsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r `hostname` ; [ -e /etc/ssh/ssh_host_dsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r `hostname` ) | perl -e ' while (defined($line = <STDIN>)) { my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $line; printf(":%s:44:\\%03o\\%03o",$host, $alg, $fptype); for (my $i = 0; $i < length($fp); $i += 2) { printf("\\%03o", hex substr($fp, $i, 2)); } print ":\n" }' |
You can also generate SSHFP records from your known hosts file, using the command sshfp. This tool is included in Fedora, although you may need to run yum install sshfp to install it first. Then you can run:
sshfp -a |
Or combined with the perl script:
sshfp -a | perl -e ' while (defined($line = <STDIN>)) { my ($host, $in, $sshfp, $alg, $fptype, $fp) = split " ", $line; printf(":%s:44:\\%03o\\%03o",$host, $alg, $fptype); for (my $i = 0; $i < length($fp); $i += 2) { printf("\\%03o", hex substr($fp, $i, 2)); } print ":\n" } ' |
Client configuration
SSH Fingerprints are useless if your client simply ignores them. Add the following line to /etc/ssh/ssh_config:
VerifyHostKeyDNS yes
Python
When Perl is not available, you can switch to using this python script:
( [ -e /etc/ssh/ssh_host_rsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r `hostname` ; [ -e /etc/ssh/ssh_host_dsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r `hostname` ) | python -c ' import sys import re line = sys.stdin.readline() while line: pat=re.split(" |\n",line) sys.stdout.write( ":%s:44:\\%03o\%03o" % ( pat[0], int(pat[3]), int(pat[4])) ) for i in range(0, len(pat[5])/2): sys.stdout.write( "\%03o" % int("0x"+pat[5][i*2]+pat[5][i*2+1],16) ) sys.stdout.write(":\n") line = sys.stdin.readline() ' |
Awk
And finally a awk version:
( [ -e /etc/ssh/ssh_host_rsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r `hostname` ; [ -e /etc/ssh/ssh_host_dsa_key.pub ] && ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r `hostname` ) | \ awk '{ printf ":" $1 ":44:\\%03o\\%03o", $4, $5; for ( i=1; i<=length($6); i+=2 ){ printf "\\%03o", strtonum("0x" substr($6,i,2)) } print ":" }' |
Note: There is a rating embedded within this post, please visit this post to rate it.