-
Notifications
You must be signed in to change notification settings - Fork 12
/
sshfp.1.xml
162 lines (138 loc) · 7.3 KB
/
sshfp.1.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<!-- lifted from troff+man by doclifter -->
<refentry id='sshfp1'>
<refentryinfo><date>April 12, 2011</date></refentryinfo>
<refmeta>
<refentrytitle>sshfp</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class='date'>April 12, 2011</refmiscinfo>
<refmiscinfo class='source'>Paul Wouters</refmiscinfo>
<refmiscinfo class='manual'>Internet / DNS</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>sshfp</refname>
<refpurpose>Generate SSHFP DNS records from knownhosts files or ssh-keyscan</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsect1 id='syntax'><title>SYNTAX</title>
<para>sshfp [<option>-k</option> <<emphasis remap='I'>knownhosts_file</emphasis>>] [<option>-d</option>] [<option>-a</option>] | [<<emphasis remap='I'>host1</emphasis>> [<emphasis remap='I'>host2 ...]</emphasis>]
<!-- .br -->
sshfp <option>-s</option> [<option>-p</option> <<emphasis remap='I'>port</emphasis>>] [<option>-d</option>] <<option>-a</option>> [<option>-n <nameserver</option>><emphasis remap='P->I'>] <domain1</emphasis>> [<emphasis remap='I'>domain2</emphasis>] | <<emphasis remap='I'>host1</emphasis>> [<emphasis remap='I'>host2 ...</emphasis>] ></para>
</refsect1>
<refsect1 id='description'><title>DESCRIPTION</title>
<para>sshfp generates RFC4255 SSHFP DNS records based on the public keys
stored in a known_hosts file, which implies the user has
previously trusted this key, or public keys can be obtained
by using ssh-keyscan (1). Using ssh-keyscan (1) implies a secure path to connect to the hosts being scanned.
It also implies a trust in the DNS to obtain the IP address of
the hostname to be scanned. If the nameserver of the domain allows zone tranfers (AXFR), an entire domain can be processed for all its A records.</para>
</refsect1>
<refsect1 id='options'><title>OPTIONS</title>
<variablelist remap='TP'>
<varlistentry>
<term><option>-s / --scan</option> <<emphasis remap='I'>hostname1</emphasis>> [hostname2 ...]</term>
<listitem>
<para>Scan hosts or domain for public SSH keys using ssh-keyscan</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-k / --knownhosts <</option><emphasis remap='I'>knownhosts_file</emphasis><emphasis remap='P->B'>> <</emphasis><emphasis remap='I'>hostname1</emphasis><emphasis remap='P->B'>> [hostname2 ...]</emphasis></term>
<listitem>
<para>Obtain public SSH keys from a known_hosts file. Defaults to using ~/.ssh/known_hosts</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-a / --all</option></term>
<listitem>
<para>Scan all hosts in the known_hosts file when used with -k. When used with -s, it will attempt an zone transfer (AXFR) to obtain all A records in the domain specified.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-d / --trailing-dot</option></term>
<listitem>
<para>Add a trailing dot to the hostname in the SSHFP records. It is not possible
to determine whether a known_hosts or dns query is for a FQDN (eg www.xelerance.com)
or not (eg www) or not (unless -d domainname -a is used, in which case a trailing dot
is always appended). Non-FQDN get their domainname appended through /etc/resolv.conf
These non-FQDN will happen when using a non-FQDN (eg sshfp -k www)
or known_hosts entries obtained by running ssh www.sub where .domain.com is implied.
When -d is used, all hostnames not ending with a dot, that at least contain two parts
in their hostname (eg www.sub but not www get a trailing dot. Note that the output of
sshfp can also just be manually editted for trailing dots.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-o / --output</option> <<emphasis remap='I'>filename</emphasis>></term>
<listitem>
<para>Write to filename instead of stdout</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-p / --port</option> <<emphasis remap='I'>portnumber</emphasis>></term>
<listitem>
<para>Use portnumber for scanning. Note that portnumbers do NOT appear in SSHFP records.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-h / --help</option></term>
<listitem>
<para>Output help information and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-v / --version</option></term>
<listitem>
<para>Output version information and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-q / --quiet</option></term>
<listitem>
<para>Output less miscellany to stderr</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='files'><title>FILES</title>
<para><filename>~/.ssh/known_hosts</filename></para>
</refsect1>
<refsect1 id='requirements'><title>REQUIREMENTS</title>
<para>sshfp requires python-dns (<ulink url='http://www.pythondns.org'>http://www.pythondns.org</ulink>)</para>
<para>Fedora: yum install python-dns</para>
<para>Debian: apt-get install python-dnspython</para>
</refsect1>
<refsect1 id='bugs'><title>BUGS</title>
<para>if a domain contains non-working glue A records, then ssh-keyscan aborts instead of skipping the single broken entry.</para>
<para>This program can look up hashed hostnames in a known_hosts file if a recent-enough ssh-keygen is present</para>
</refsect1>
<refsect1 id='examples'><title>EXAMPLES</title>
<para>typical usage:</para>
<para>sshfp (implies -k -a)</para>
<para>sshfp -a -d (implies -k)</para>
<para>sshfp -k bofh.xelerance.com (from known_hosts)</para>
<para>sshfp -s bofh.xelerance.com (from a scan to the host)</para>
<para>sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com www.openswan.org -o /tmp/mysshfp.txt</para>
<para>sshfp -a -d -d xelerance.com -n ns0.xelerance.net >> /var/named/primary/xelerance.com</para>
</refsect1>
<refsect1 id='see_also'><title>SEE ALSO</title>
<para><citerefentry><refentrytitle>ssh-keyscan</refentrytitle><manvolnum>1</manvolnum></citerefentry> <citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> and RFC-4255</para>
<para><ulink url='http://www.xelerance.com/software/sshfp/'>http://www.xelerance.com/software/sshfp/</ulink></para>
<para><ulink url='http://lists.xelerance.com/mailman/listinfo/sshfp/'>http://lists.xelerance.com/mailman/listinfo/sshfp/</ulink></para>
</refsect1>
<refsect1 id='authors'><title>AUTHORS</title>
<para>Paul Wouters <paul@xelerance.com>, Jacob Appelbaum <jacob@appelbaum.net>, James Brown <jbrown@yelp.com></para>
</refsect1>
<refsect1 id='copyright'><title>COPYRIGHT</title>
<para>Copyright 2006-2010 Xelerance Corporation</para>
<para>This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <<ulink url='http://www.fsf.org/copyleft/gpl.txt'>http://www.fsf.org/copyleft/gpl.txt</ulink>>.</para>
<para>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License (file COPYING in the distribution) for more details.</para>
</refsect1>
</refentry>