1

I have an Debian Jessie Server and I would like to verify the SSH HostKey about the DNS SSHFP record. I only provide the ed25519 and rsa algorithm to connect to the server. I have masquerade the server FQDN to kronos.example.local.

I used this commands to generate the fingerprint for the ed25519 algorithm

root@kronos:~# ssh-keygen -r kronos.example.local -f /etc/ssh/ssh_host_ed25519_key
kronos.example.local IN SSHFP 4 1 f6291b4afb2b18cb3042e9dc01bd15efca7f5d5e
kronos.example.local IN SSHFP 4 2 7b2e9286d0969618ccb88d954587ac82f2ad471c34d07d25d91f9905b86f152d

and this one for rsa

root@kronos:~# ssh-keygen -r kronos.example.local -f /etc/ssh/ssh_host_rsa_key
kronos.example.local IN SSHFP 1 1 365f966468f59ed889fb9d94c25f8f6cb858aa7a
kronos.example.local IN SSHFP 1 2 162f0117baae8380427698ba8800bdef36e150e6014f220b568d85445832d050

I used dig to check the records on my client machine.

volker@vm23 ~ $ dig SSHFP kronos.example.local
;; ANSWER SECTION:
kronos.example.local.   600 IN  SSHFP   1 2 162F0117BAAE8380427698BA8800BDEF36E150E6014F220B568D8544 5832D050
kronos.example.local.   600 IN  SSHFP   4 2 7B2E9286D0969618CCB88D954587AC82F2AD471C34D07D25D91F9905 B86F152D
kronos.example.local.   600 IN  SSHFP   4 1 F6291B4AFB2B18CB3042E9DC01BD15EFCA7F5D5E
kronos.example.local.   600 IN  SSHFP   1 1 365F966468F59ED889FB9D94C25F8F6CB858AA7A

The SSHFP Record is correct and I add the settings StrictHostKeyChecking and VerifyHostKeyDNS in my ssh config to verify the ssh fingerprint about the SSHFP record. 

Host                    kronos
Hostname                kronos.example.local
Port                    30
User                    root
Compression             yes        
IdentityFile            ~/.ssh/ssh.key      
PasswordAuthentication  no
PubkeyAuthentication    yes
RSAAuthentication       no
StrictHostKeyChecking   yes
VerifyHostKeyDNS        yes

Now, when I want to connect to the Server I get an error, that my ssh-client can't establish an connection because the fingerprint is wrong?

volker@vm23 ~ $ ssh kronos
No ED25519 host key is known for [kronos.example.local]:30 and you have requested strict checking.
Host key verification failed.

Why I get this error, I don't know what I make wrong.

EDIT:

When I flush the known_hosts file and connect again, I get this message with the provided fingerprint.

The authenticity of host '[kronos.example.local]:30 ([192.168.2.100]:30)' can't be established.
ED25519 key fingerprint is SHA256:ey6ShtCWlhjMuI2VRYesgvKtRxw00H0l2R+ZBbhvFS0.
Mikael Dúi Bolinder
  • 326
  • 2
  • 3
  • 17
Volker Raschek
  • 307
  • 1
  • 5
  • 13
  • Are the records already in the DNS? Can you verify that using `dig`? – Jakuje May 05 '17 at 16:07
  • Yes, the records are in the DNS. I used first my local DNS Server and second explicit the DNS from the example.local zone. (dig kronos.example.local SSHFP @ns1.example.local) – Volker Raschek May 05 '17 at 16:22
  • 3
    `StrictHostKeyChecking yes` prevents openssh from automatically adding new HostKeys to the `known_hosts` file. You will need to add it to `known_hosts` manually or set `StrictHostKeyChecking no` for your first connection. You will then be asked if you want to add it. Afterwards you can set it back to `StrictHostKeyChecking yes`. – lsmooth May 05 '17 at 16:30
  • Thanks Ismooth, it's works fine. At the first connection I get now this message `Matching host key fingerprint found in DNS.` when I have `StrictHostKeyChecking no`. When I change it to `yes` I can connect with verifying the fingerprint. Thanks! – Volker Raschek May 05 '17 at 19:22
  • @lsmooth Please provide that in answer format so that the Q&A can be closed and credit properly attributed. Thanks! – Andrew B Sep 19 '17 at 21:19
  • @AndrewB sorry missed this – lsmooth Oct 10 '18 at 19:45

1 Answers1

1

StrictHostKeyChecking yes prevents openssh from automatically adding new HostKeys to the known_hosts file. You will need to add it to known_hosts manually or set StrictHostKeyChecking no for your first connection. You will then be asked if you want to add it. Afterwards you can set it back to StrictHostKeyChecking yes.

lsmooth
  • 1,521
  • 1
  • 9
  • 17