I have two machines running OpenBSD v6.9. Let's be original and call them client and server.
I generated the SSHFP records on the server with :
ssh-keygen -r host.domain.tld
In the DNS zone, I added the SSHFP record with this line :
host IN SSHFP 1 2 02323a6fb8a12eba9288930ce2513fc94970e5575996ebede1ee352bd039c531
host IN SSHFP 4 2 3eef5929fe85038b2e2a7de70897175e7b0d68328b41ef6466a2fa06f9a8bb49
sshd is configured to use only Ed25519 host key but I also keep RSA host key in case on futur need.
The DNS zone is signed with DNSSEC and everything is validated by "https://dnsviz.net/" and "https://dnssec-debugger.verisignlabs.com/".
On the client, there is an Unbound resolver with DNSSEC validator :
dig host.domain.tld -t SSHFP
; <<>> dig 9.10.8-P1 <<>> host.domain.tld -t SSHFP
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9525
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;host.domain.tld. IN SSHFP
;; ANSWER SECTION:
host.domain.tld. 3600 IN SSHFP 4 2 3eef5929fe85038b2e2a7de70897175e7b0d68328b41ef6466a2fa06 f9a8bb49
host.domain.tld. 3600 IN SSHFP 1 2 02323a6fb8a12eba9288930ce2513fc94970e5575996ebede1ee352b d039c531
;; Query time: 182 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 17 17:15:46 CEST 2021
;; MSG SIZE rcvd: 137
It is not mentioned above but if I add +dnssec to the query, the RRSIG SSHFP is displayed.
And the SSH client config file :
Host host.domain.tld
AddressFamily inet
HostName host.domain.tld
Port 22
Protocol 2
User username
CheckHostIP yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
VerifyHostKeyDNS yes
IdentityFile ~/.ssh/id_ed25519_host.domain.tld
But, when I try to connect from the client to the server, it seems that SSHFP does not work :
ssh host.domain.tld
The authenticity of host 'host.domain.tld (server_ip_address)' can't be established.
ED25519 key fingerprint is SHA256:Pu9ZKf6FA4suKn3nCJcXXnsNaDKLQe9kZqL6Bvmou0k.
Matching host key fingerprint found in DNS.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
According to Internet guides, I should not be asked to accept the key.
So, to summarize :
- SSHFP record generated on the server,
- SSHFP record added to the DNS zone,
- DNS zone signed with DNSSEC,
- client able to query SSHFP records and validate DNSSEC,
- SSH config file with the option "VerifyHostKeyDNS",
- and it is not working.
Here is the detail of the connexion :
ssh -v host.domain.tld
OpenSSH_8.6, LibreSSL 3.3.2
debug1: Reading configuration data /home/username/.ssh/config
debug1: /home/username/.ssh/config line 2: Applying options for host.domain.tld
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to host.domain.tld [server_ip_address] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_ed25519_host.domain.tld type 3
debug1: identity file /home/username/.ssh/id_ed25519_host.domain.tld-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.6
debug1: compat_banner: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to host.domain.tld:22 as 'username'
debug1: load_hostkeys: fopen /home/username/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:Pu9ZKf6FA4suKn3nCJcXXnsNaDKLQe9kZqL6Bvmou0k
debug1: found 2 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: load_hostkeys: fopen /home/username/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /home/username/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: hostkeys_find_by_key_hostfile: hostkeys file /home/username/.ssh/known_hosts2 does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts2 does not exist
The authenticity of host 'host.domain.tld (server_ip_address)' can't be established.
ED25519 key fingerprint is SHA256:Pu9ZKf6FA4suKn3nCJcXXnsNaDKLQe9kZqL6Bvmou0k.
Matching host key fingerprint found in DNS.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Do you have any idea of the problem ?
Thanks in advance.