Rookie mistake from messing with this too late at night. Apparently it only works with fully qualified domain names (therefore working more like dig than host):
$ ssh -o VerifyHostKeyDNS=yes user@host The authenticity of host 'host (192.168.1.52)' can't be established. RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a. No matching host key fingerprint found in DNS. $ ssh -o VerifyHostKeyDNS=yes u...@host.example.com The authenticity of host 'host.example.com (192.168.1.52)' can't be established. RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a. Matching host key fingerprint found in DNS. Not sure how I'm going to work around this. I may just dispense with sshfp records for the time being, unless something jumps out at me. --b On Tue, Jan 22, 2013 at 1:20 PM, Bob Proulx <b...@proulx.com> wrote: > Brad Alexander wrote: >> Has anyone worked with sshfp records for openssh? > > No. But I do have a suggestion. > >> I generated sshfp records: >> >> <host> IN SSHFP 1 1 5490056a2208c8ad2cf869f5c06470450c8a017a >> <host> IN SSHFP 2 1 18aef47bc01264709f25ac9daebed236b45b6b45 >> >> but when I ssh into the host (after deleting the records from >> .ssh/known_hosts), I get: >> >> $ ssh -o VerifyHostKeyDNS=yes <user>@<host> >> The authenticity of host 'janeway (192.168.224.52)' can't be established. >> RSA key fingerprint is 6d:fd:09:59:e2:32:b8:3f:4e:ff:51:1f:58:5a:14:3a. >> No matching host key fingerprint found in DNS. >> Are you sure you want to continue connecting (yes/no)? >> >> Anyone got any idea why the key fingerprints aren't matching up? > > Add more verbosity to the command. For example I see: > > $ ssh -v -o VerifyHostKeyDNS=yes example.com > debug1: Server host key: RSA 1e:c8:2d:20:c7:dc:9b:10:1d:5b:85:bd:4c:95:9a:43 > DNS lookup error: name does not exist > The authenticity of host 'example.com (192.0.43.10)' can't be established. > > That "DNS lookup error: name does not exist" tells me in that I do not > have sshfp records. > > Perhaps with more verbosity (adding -v) you will have a similarly > information message? > > Bob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cakmzw+y+dharqc9qp9wmgpd3myyw+bmxmqwz3ad_gbwkkit...@mail.gmail.com
