-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathsshfp.1
139 lines (139 loc) · 5.65 KB
/
sshfp.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
'\" t
.\" Title: sshfp
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: January 2, 2015
.\" Manual: Internet / DNS
.\" Source: Paul Wouters
.\" Language: English
.\"
.TH "SSHFP" "1" "January 2, 2015" "Paul Wouters" "Internet / DNS"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
sshfp \- Generate SSHFP DNS records from knownhosts files or ssh\-keyscan
.SH "SYNTAX"
.PP
sshfp [\fB\-k\fR
<\fIknownhosts_file\fR>] [\fB\-d\fR] [\fB\-a\fR] [\fB\-\-type\fR
<algo>] [\fB\-\-digest\fR
<digest>] [<\fIhost1\fR> [\fIhost2 \&.\&.\&.]\fR]
.PP
sshfp
\fB\-s\fR
[\fB\-p\fR
<\fIport\fR>] [\fB\-d\fR] [\fB\-a\fR] [\fB\-\-type\fR
<algo>] [\fB\-\-digest\fR
<digest>] [\fB\-n <nameserver\fR>\fI] <domain1\fR> [\fIdomain2\fR] <\fIhost1\fR> [\fIhost2 \&.\&.\&.\fR] >
.SH "DESCRIPTION"
.PP
sshfp generates RFC\-4255 SSHFP DNS records based on the public keys stored in a known_hosts file, which implies the user has previously trusted this key, or public keys can be obtained by using ssh\-keyscan (1)\&. Using ssh\-keyscan (1) implies a secure path to connect to the hosts being scanned\&. It also implies a trust in the DNS to obtain the IP address of the hostname to be scanned\&. If the nameserver of the domain allows zone transfers (AXFR), an entire domain can be processed for all its A records\&.
.SH "OPTIONS"
.PP
\fB\-s / \-\-scan\fR <\fIhostname1\fR> [hostname2 \&.\&.\&.]
.RS 4
Scan hosts or domain for public SSH keys using ssh\-keyscan
.RE
.PP
\fB\-k / \-\-knownhosts <\fR\fIknownhosts_file\fR\fI> <\fR\fIhostname1\fR\fI> [hostname2 \&.\&.\&.]\fR
.RS 4
Obtain public SSH keys from a known_hosts file\&. Defaults to using ~/\&.ssh/known_hosts
.RE
.PP
\fB\-a / \-\-all\fR
.RS 4
Scan all hosts in the known_hosts file when used with \-k\&. When used with \-s, it will attempt a zone transfer (AXFR) to obtain all A records in the domain specified\&.
.RE
.PP
\fB\-d / \-\-trailing\-dot\fR
.RS 4
Add a trailing dot to the hostname in the SSHFP records\&. It is not possible to determine whether a known_hosts or dns query is for a FQDN (eg www\&.redhat\&.com) or not (eg www) or not (unless \-d domainname \-a is used, in which case a trailing dot is always appended)\&. Non\-FQDN get their domainname appended through /etc/resolv\&.conf These non\-FQDN will happen when using a non\-FQDN (eg sshfp \-k www) or known_hosts entries obtained by running ssh www\&.sub where \&.domain\&.com is implied\&. When \-d is used, all hostnames not ending with a dot, that at least contain two parts in their hostname (eg www\&.sub but not www get a trailing dot\&. Note that the output of sshfp can also just be manually edited for trailing dots\&.
.RE
.PP
\fB\-o / \-\-output\fR <\fIfilename\fR>
.RS 4
Write to filename instead of stdout
.RE
.PP
\fB\-p / \-\-port\fR <\fIportnumber\fR>
.RS 4
Use portnumber for scanning\&. Note that portnumbers do NOT appear in SSHFP records\&.
.RE
.PP
\fB\-h / \-\-help\fR
.RS 4
Output help information and exit\&.
.RE
.PP
\fB\-v / \-\-version\fR
.RS 4
Output version information and exit\&.
.RE
.PP
\fB\-q / \-\-quiet\fR
.RS 4
Output less miscellany to stderr
.RE
.SH "FILES"
.PP
~/\&.ssh/known_hosts
.SH "REQUIREMENTS"
.PP
sshfp requires python\-dns (\m[blue]\fBhttp://www\&.pythondns\&.org\fR\m[])
.PP
Fedora: yum install python\-dns
.PP
Debian: apt\-get install python\-dnspython
.SH "BUGS"
.PP
if a domain contains non\-working glue A records, then ssh\-keyscan aborts instead of skipping the single broken entry\&.
.PP
This program can look up hashed hostnames in a known_hosts file if a recent\-enough ssh\-keygen is present
.SH "EXAMPLES"
.PP
typical usage:
.PP
sshfp (implies \-k \-a)
.PP
sshfp \-a \-d (implies \-k)
.PP
sshfp \-k bofh\&.nohats\&.ca (from known_hosts)
.PP
sshfp \-s bofh\&.nohats\&.ca (from a scan to the host)
.PP
sshfp \-k ~paul/\&.ssh/known_hosts bofh\&.nohats\&.ca www\&.openswan\&.org \-o /tmp/mysshfp\&.txt
.PP
sshfp \-a \-d \-d nohats\&.ca \-n ns0\&.nohats\&.ca >> /var/named/primary/nohats\&.ca
.SH "SEE ALSO"
.PP
\fBssh-keyscan\fR(1)\fBssh\fR(1)\fBtlsa\fR(1)
and RFC\-4255
.SH "AUTHORS"
.PP
Paul Wouters <pwouters@redhat\&.com>, Jacob Appelbaum <jacob@appelbaum\&.net>, James Brown <jbrown@yelp\&.com>
.SH "COPYRIGHT"
.PP
Copyright 2006\-2010 Xelerance Corporation
.PP
Copyright 2012 Paul Wouters
.PP
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version\&. See <\m[blue]\fBhttp://www\&.fsf\&.org/copyleft/gpl\&.txt\fR\m[]>\&.
.PP
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License (file COPYING in the distribution) for more details\&.