Home / server / Questions / 36857
In Process
cjs
Asked: 2009-07-08 00:17:56 +0800 CST

Generating SSHFP record from OpenSSH known_hosts file entry

  • 772

I have an entry from an OpenSSH known_hosts file; I'd like to generate an SSHFP resource record for this. I can use ssh-keygen to generate the fingerprint with no difficulty:

$ ssh-keygen -f foo_known_host -l
1040 09:a0:5c:5f:43:fb:e5:25:d8:0c:d8:dc:d7:7a:c4:62 foo.example.com. (RSA)

But it doesn't seem to like it for a DNS fingerprint record:

$  ssh-keygen -f foo_known_host -r foo
failed to read v2 public key from foo_known_host.

So how do I do this?

Note: If you came here via asking a search engine how to generate an SSHFP record from a remote host (not a local copy of the fingerprint as above), that's done via ssh-keyscan -D machine.name –.

ssh known-hosts

3 Answers

  1. ssh-keygen(1) doesn't behave the same way as sshfp(1).

    You'll note from the man page that the syntax is:

    ssh-keygen -r hostname [-f input_keyfile] [-g]

    So the file should be an input_keyfile rather than a known_hosts_file. If you don't specify then it will default to the server's local keys of /etc/ssh/ssh_host_rsa_key.pub and /etc/ssh/ssh_host_dsa_key.pub.

    You can either generate the record from each server that you wish to create SSHFP records for with ssh-keygen. Or source sshfp and create them all from one known_hosts file.

    • 2

  2. This script is good:

    http://brmlab.cz/kb/sshfp.sh

    It needs to be run in /etc/ssh, or edit it to cd there before it does it's stuff.

    • 0

  3. try -r $HOSTNAME as first arguement:

    $ ssh-keygen -r moppel -f ~/.ssh/id_dsa -g
moppel IN TYPE44 \# 22 02 01 3950bf0c2cf2318b9ab2187992b6f7869947c3aa
    • -1