SSHFP via DNSSEC
By default, my ssh config (if loaded from git repository) will use ssh fingerprints via DNSSEC to verify ssh fingerprints of servers. We have to set up the sshfp in DNS to get this to work.
You need to modify the
.ssh/configto have the flagVerifyHostKeyDNS yes{.is-info}
On the server run this command
ssh-keygen -r <hostname>
This will print out something like this
$ ssh-keygen -r rerun
rerun IN SSHFP 1 1 e7cbb914c381ccb9cd6216f3820cf20fd95209bd
rerun IN SSHFP 1 2 e62b836dce14f8b0cd253b2808a0d9490611eb34da04e80a019301c700377581
rerun IN SSHFP 2 1 83e213aba16cdc14304e9eddf1cef4e3621e999d
rerun IN SSHFP 2 2 eb4205a0f383237bb7b87bb2d8ad1d0abb15abbcea6c9b94c75aad1ecd1444b9
rerun IN SSHFP 3 1 21befc80d527b8bc72895aab49b113536c57a220
rerun IN SSHFP 3 2 326eeb77941ba84b904d15224c5f7c529c43ab0dee47dfdafc890c60fe5a65eb
rerun IN SSHFP 4 1 3d58ca729a4259be4001c6e628265be43abd48b3
rerun IN SSHFP 4 2 368073177d0611b79becf12f752dc21fcb9fc6da8e312777ff6feb80ba19fd84
We need to add these values to our DNS (which needs to support DNSSEC). We use Cloudflare with DNSSEC enabled.
Enter the hostname, algorithm, type and fingerprint and save for each line. After this it should work.
Default Authorized Keys
Here's the list of the keys we normally accept.
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE5tqZU0R8zr1PYJKw6hiNROhWzTeQOsz529/aFbCQ2woWPEa7dhDDZxiD5D8YS5IcCnozGZv0eV8ZEiuo0i0ZY= clw@frodo
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM94iyMPACtoL3ZNTujo4CzLoxWDWDn92iNxQ6MaqXvfBtjrGc1jsG8zRuZ7u21te42aphDbvaLRU0qXPLdfaw8= clw@lucy
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL7Ntr5CiX+Z3YpgLuUBxuVdMBLxIWFWl5A4l9iUSkAMx44XVJG7E7MWj24fHaUsUaXlgX/ucEutQVBZ++EYYRA= clw@sauron
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA9KIYyfj9Js083o1LMHgP/Ar/VAUkSSxrpKS+7/ECoMccbAx1rYlclZof04JZ4835/JUWWiw4PDl0RIfJHiLw7Qw6Btihd5QCNgV546Gqmv1kvbghx1/kCCBygKKsIz6e3ujzIm6rV0IUKS4KrJqmqhAM1zlWGOQpWrlaCqIqE50= clw@chriswong.org
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDvorzaf+t2huucOYWJAg2cccCOnm0+ZJ/8WIrI6IQpz7x/2hgup+FndNT7aTa9ZNkqiFRWNvFgkQiYpbArXo7hLvEkUi6VwMbRW8+lCugjFg6T2GOdrVOp2lwP5iUk+dOumAbVdTzeC70Vxa0kOYg7dTBQhs7PEQwtr8j5FpSUpK/TmxoV3irunF9Ei79C3PU2HveE/dcOsTPRS3K19Nsx8Lji5mF93Da9TZu+UOLYdwF4rkTNPFphQ+p7xXlhzfgTO4vtKSkMT2JahA+T1EZ5KcsPtFZBfdj9rPbD2nIRf6j9x6nO1q8TmGROg5hPBMc0jdynvqfNEqq/IwkMIPOeeBpq1O20ZfB1t3F/ZZhndoTOaTh33Zc9CngUnXy5E2KnZ59AgvMRaSTkItoArpURA+jqI73xB0IDuC/l59qQLzKgNHDNfVZX0TlzFugpFSpvVy6ri3pYtWSnVFOwh8v2SL8i8qf3jIjN9Q8X5OswAmU3mdyJ7fzf+JnXYY10PAQmV1OGNpqaZpOQce/Z4hZobu5aiQAHqPhLhbvXLOY9QTJs8shNcF5uFDYgL2DEAlKG4YU7iX9RnrT6m8sa7g0671VeWrSyU61q7krh9xinDSNI7OJvf91taWMQryPlrZGSYeEeVyVgT7/vmZEe3rp38TxN1iclgJuBWSrCDvGxGw== clw@tuber
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX9ozsrAOxObCGKeb/CoyU8//Fn48ivauQppjt7pvTaxFWeRD4zwjfgX3ST6jAfvJ7GwkW9qcyInZ5F7zSK9cdpcMMtcYle8z4MDejmIa+808DljMpSBwFWILb2tii88yS1s9MP8JPkgfv1aJ/bmy2jSluYw0X2Wrz8Ew/USvAiz+fYGygewYjllFlZYJ2gIrc0H4yR+r8l+D9TtgYbACzR6hG3Fm5PDj5TliVFjW2MsAPhtSG8x3u1ramSjHZgA34JPNCaJi1XehHx13HUBIeG8dYEtPZaESIEvUSL0OmBa4WvV5v6Opf2IweslUvwZWoQOvv3ZT49tZatHgp9EmN root@samwise-gamgee
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmRpJytVNmTkoheMLFKmZ24HLDIo4PEJmKkNVEsfd0F3OcOykcJhVDRUAOr8TVPNHJC7MLQbeZ18wPBBE/n7IO22SGAG+YDLeO6nrFiPX2rexSphu/abiYqmikse2ucTpCNDBGRDPpMHhhl9N22s02m4a8NyTGe3AiLUO3hlPGuhkonu116yQW98pXMRFLk2StFGLk4N1JB35pf9OeSxinfzRGaP5rCbEydG+DNFT++h4VASK7ew67oxzVj/r/K3qtG6JKybUP6kO7JaquRzf2f4YU9lmesADeMGDQT0qj8Hj7RZDPMUoiRp7993uWyahWup+OI7rDyE7CrUNwv33WFPpOguUnLv+hyqFjWkYLStEbDYKAW8qTvnPGMzRVe5jKEheSgTu9dXcHP7aXgsfEGQfYDiIIWOxLItrz/u7JpDG3LmN4R9iBtXIKtd/lKVMaZJnhH9aEKbs0ViD6l/TZX/tf4Zfual9+1ZBLqT6dwLrMRP1UtUBAowxfrkbPHkaY30z5parUxKyFazEBZxsRJfBIZ1ZQhByEVEtmIuMbCkrHFuMMuxmSM6enJcoYnPq+A/Gpw7l1HT9HnzskAEZCqZAsRMCOBdCYg5Xvzz6R+8N5AqhsbshmIR4a5Yjs+qmsHVqtAMDrOU446QS7OUBXnK/Eyqp3ITQTJqtdoMqU5w== clw@MS-2
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEr1vHhUoO+cw0F1v3MlMHh7lFhb7HYtASpPfEHS0fx6/l+ImNry7Jmc3HZAsMsdNDHXchfyxE26mRO9PvUgk3wep/YihxsbRbxjpZhBpVosNSm6JVLHpmw8ESnqSNFrgQ== JuiceSSH
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJQsS6Q/Q1CI0xzQoXQ36xBobubzNCMfTByKv+XduRTOLkZ1HNtkuzmZM4AB1L/rI2TZ/zpOWD4vcz91XhcNpjKbYtgAtHSHTZsXJSjKysbH7cNt+Cfv38Rg895b9zx5uhDng5rh5YgiBApuQpDrsfFrYlaC3w9JPiMZIQoXnZ8/M1mTjICiRVAwmIYFUKfJkB7BlFZ/aWO4tU1kz3SiZr9MvWJG7qts4963KsLj3MYd2Gt/J19qWIsRGKPZvPdexjSa20/WKLDoVKs5uK14FuL5WiJhBdNPT6rAk0FBHV2eOiuRBUlPzEk70Sgy5S6eOMc2PTyftmRZNzf+yZ9KP0ETVHCODpnSsNeH67a/UmOFXeEXhaVHKzBa3LqDJjVDjbvOnWw3s863K78vvCu16G0Fod8K1b/GP1uosvM/42zxWYIve8GPkmTVbzWdg8CXGkOCZ09X1ZO7ZCFiNmdRF1tk92nDUNaUOAvucCLLj5aracmQTNHbfNs1WYa2uMP1foTtUcjpAFGkWhFZD5jtkctlgbDFyCZfQhwHl4N4PIp3/9HJqmEUJMlJvxdH2om2wmJGTWxNlm4GJ5vjIi5C86k+WRofi0tyQBseMStDfJgmUsLauZ/aVrnk9zkGt/uhoKF+jimlGSa184BVBNzjrO+xl4MmdF1Frdw6T5gRGIFw== clw@rpi3
ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEr1vHhUoO+cw0F1v3MlMHh7lFhb7HYtASpPfEHS0fx6/l+ImNry7Jmc3HZAsMsdNDHXchfyxE26mRO9PvUgk3wep/YihxsbRbxjpZhBpVosNSm6JVLHpmw8ESnqSNFrgQ== JuiceSSH
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBETC7ItSOyWdvdDF1OXOP2kt7A8VE7VipD7mHqNaze4Bgo4an06lwQPn+uuYv1CL0ucNqINdyD2uIaWzPC2DBQQ= clw@theonering
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD6iRbMazLNqpRyfJbxRX5Hsbgsu6AzfPWuI4stx+s1qYNXPXz/PNuaCyHLpfv/+dJpXuOo700i2IzkLVYmNNVA= termius
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNvj3u5XFhUrI9UbTIdZVxg8/utP+7fwX8peVZsQ8i/brpnJU68uujq7c5x5QxP/jK7hPUCduvF0cQvqTEr0ui8= clw@rpi4
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIUBLF7YZZEsLr416Y9pRl7eZSZLE/kwhXA7gVyAM7BpQLUPBTYKkpIcnEfHD5hoJACuIx2alpzuBSLn5MPSm4Q= clw@vonnywong
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII99iClbwQA35YUkRJ67LnWHQKYPSQaN8Y5dQT5sLSjy chromebook2
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhGDwmfoRGSwlQ1mXrNA7/AMBlXKLR8/mU475+Op1w2 clw@samwise-gamgee
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyRI04/JtkFucNBNpuxvmaMONreb/f4Yx5vdh6QbZ3V clw@samwise-gamgee-ubuntu-windows
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXfq4SvY/v1a0XJp1GuXNtwK1gfLwCQaiv9seODFrCi JuiceSSH_op7t