
sshfp

   Generate SSHFP DNS records from knownhosts files or ssh-keyscan

SYNTAX

   sshfp [-k [knownhosts_file]] [-a] | [<hostname1> [hostname2 ...]]
   sshfp -s [-p port] <-a <domain> [@ns] | <hostname1> [hostname2 ...]>

DESCRIPTION

   sshfp generates RFC4255 SSHFP DNS records based on the public keys stored in
   a known_hosts file, which implies the user has previously trusted this key,
   or public keys can be obtained by using ssh-keyscan (1). Using ssh-keyscan
   (1) implies a secure path to connect to the hosts being scanned. It also
   implies a trust in the DNS to obtain the IP address of the hostname to be
   scanned. If the nameserver of the domain allows zone tranfers (AXFR), an
   entire domain can be processed for all its A records.

OPTIONS

   -s / --scan <hostname1> [hostname2 ...]
          Scan hosts or domain for public SSH keys using ssh-keyscan
   -k / --knownhosts [knownhosts_file] <hostname1> [hostname2 ...]
          Obtain public SSH keys from a known_hosts file. Defaults to using
          ~/.ssh/known_hosts
   -a / --all
          Scan all hosts in the known_hosts file when used with -k. When used
          with -s, it will attempt an zone transfer (AXFR) to obtain all A
          records in the domain specified.
   -t / --trailing-dot
          Add a trailing dot to the hostname in the SSHFP records. It is not
          possible to determine whether a known_hosts or dns query is for a
          FQDN (eg [3]www.xelerance.com) or not (eg www) or not (unless -d
          domainname  -a  is used, in which case a trailing dot is always
          appended).  Non-FQDN  get  their  domainname  appended  through
          /etc/resolv.conf These non-FQDN will happen when using a non-FQDN (eg
          sshfp  -k  www)  or known_hosts entries obtained by running ssh
          [4]www.sub  where  .domain.com is implied. When -t is used, all
          hostnames not ending with a dot, that at least contain two parts in
          their hostname (eg [5]www.sub but not www get a trailing dot. Note
          that  the output of sshfp can also just be manually editted for
          trailing dots.
   -o / --output <filename>
          Write to filename instead of stdout
   -p / --port <portnumber>
          Use <portnumber> for scanning. Note that portnumbers do NOT appear
          in SSHFP records.
   -h / --help
          Output help information and exit.
   -v / --version
          Output version information and exit.



FILES

   ~/.ssh/known_hosts

REQUIREMENTS

   sshfp requires python-dns ([6]http://www.pythondns.org)

   Fedora: yum install python-dns

   Debian: apt-get install python-dnspython

BUGS

   if a domain contains non-working glue A records, then ssh-keyscan aborts
   instead of skipping the single broken entry.

   There is no facility to lookup hashed hostnames in known_hosts files

EXAMPLES

   typical usage:

   sshfp (implies -k -a)

   sshfp -a -t (implies -k)

   sshfp -k bofh.xelerance.com (from known_hosts)

   sshfp -s bofh.xelerance.com (from a scan to the host)

   sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com [7]www.openswan.org -o
   /tmp/mysshfp.txt

   sshfp     -a     -t    -d    xelerance.com    @ns0.xelerance.net    >>
   /var/named/primary/xelerance.com

SEE ALSO

   [8]ssh-keyscan(1) [9]ssh(1) and RFC-4255

   [10]http://www.xelerance.com/software/sshfp/
   [11]http://lists.xelerance.com/mailman/listinfo/sshfp/

AUTHORS

   Paul Wouters, Jacob Appelbaum

COPYRIGHT

   Copyright Â© 2006 Xelerance Corporation

   This program is free software; you can redistribute it and/or modify it
   under the terms of the GNU General Public License as published by the Free
   Software Foundation; either version 2 of the License, or (at your option)
   any later version. See <[11]http://www.fsf.org/copyleft/gpl.txt>.

   This program is distributed in the hope that it will be useful, but WITHOUT
   ANY  WARRANTY; without even the implied warranty of MERCHANTABILITY or
   FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (file
   COPYING in the distribution) for more details.
