What is SSHFP? Why do I care?
script
I found a script somebody else had already cobbled, and made some small changes to it. I gave it getopts, a test option, and some filtering of records I don’t want to see, such as SHA1. Script looks like this
1#!/bin/sh
2
3set -e
4PATH="/bin:/usr/bin:/usr/local/bin"
5
6while getopts "h:t" COMMAND_LINE_ARGUMENT ; do
7 case "${COMMAND_LINE_ARGUMENT}" in
8 h) host=${OPTARG}
9 ;;
10 t) test_mode="YES"
11 ;;
12 \?) echo "-h <host> is required, -t is optional"
13 exit 1
14 ;;
15 esac
16done
17
18cmd_pfx=""
19if [ "${test_mode}" = "YES" ]; then
20 echo "Test Mode"
21 cmd_pfx="echo Would issue"
22fi
23
24TMPFILE1="$(mktemp /var/tmp/sshfp_1.$$)"
25TMPFILE2="$(mktemp /var/tmp/sshfp_2.$$)"
26trap 'rm -f ${TMPFILE1}' INT TERM EXIT
27
28for proto in rsa dsa ecdsa ed25519; do
29 ${cmd_pfx} ssh-keyscan -t $proto "$host" > ${TMPFILE1} 2>/dev/null
30 [[ ! -s "${TMPFILE1}" ]] && continue
31 ${cmd_pfx} gsed -ri 's/^[^ ]+ //' ${TMPFILE1}
32 ${cmd_pfx} ssh-keygen -r "$host" -f ${TMPFILE1} > ${TMPFILE2}
33 ${cmd_pfx} mv ${TMPFILE2} ${TMPFILE1}
34 ${cmd_pfx} gsed -rn '/SSHFP ([2]|[1-9] 2)/ s/^([^ ]+) IN SSHFP (.*)$/\t\tIN\tSSHFP\t\2/p' ${TMPFILE1} > ${TMPFILE2}
35 ${cmd_pfx} mv ${TMPFILE2} ${TMPFILE1}
36 ${cmd_pfx} egrep -v '1 1|2 1|3 1|4 1' ${TMPFILE1}
37done
38if [ -e ${TMPFILE} ] ; then
39 rm ${TMPFILE1}
40fi
41if [ -e ${TMPFILE2} ] ; then
42 rm ${TMPFILE2}
43fi
44# vim: set ts=4 sw=4 tw=80 noet :
What can I do with this script? If I feed it a host name, it will give me the SSHFP entries. Why do I want SSHFP entries? SSHFP entries can be put in DNS. When a user first makes an SSH connection to a host, SSH can be configured (’-o VerifyHostKeyDNS=yes’) to look for SSHFP records, and if found, and if they match with the host, don’t prompt the user if they want to connect, just do it.
Comments