sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan
sshfp [ -k
> [host2 ...]
] sshfp -s
> [ host2 ...
sshfp generates RFC4255 SSHFP DNS records based on the public keys stored in a
known_hosts file, which implies the user has previously trusted this key, or
public keys can be obtained by using ssh-keyscan (1). Using ssh-keyscan (1)
implies a secure path to connect to the hosts being scanned. It also implies a
trust in the DNS to obtain the IP address of the hostname to be scanned. If
the nameserver of the domain allows zone tranfers (AXFR), an entire domain can
be processed for all its A records.
-s / --scan
> [hostname2 ...]
Scan hosts or domain for public SSH keys using
-k / --knownhosts <knownhosts_file>
<hostname1 > [hostname2 ...]
Obtain public SSH keys from a known_hosts file. Defaults
to using ~/.ssh/known_hosts
-a / --all
Scan all hosts in the known_hosts file when used with -k.
When used with -s, it will attempt an zone transfer (AXFR) to obtain all A
records in the domain specified.
-d / --trailing-dot
Add a trailing dot to the hostname in the SSHFP records.
It is not possible to determine whether a known_hosts or dns query is for a
FQDN (eg www.xelerance.com) or not (eg www) or not (unless -d domainname -a is
used, in which case a trailing dot is always appended). Non-FQDN get their
domainname appended through /etc/resolv.conf These non-FQDN will happen when
using a non-FQDN (eg sshfp -k www) or known_hosts entries obtained by running
ssh www.sub where .domain.com is implied. When -d is used, all hostnames not
ending with a dot, that at least contain two parts in their hostname (eg
www.sub but not www get a trailing dot. Note that the output of sshfp can also
just be manually editted for trailing dots.
-o / --output
Write to filename instead of stdout
-p / --port
Use portnumber for scanning. Note that portnumbers do NOT
appear in SSHFP records.
-h / --help
Output help information and exit.
-v / --version
Output version information and exit.
-q / --quiet
Output less miscellany to stderr
sshfp requires python-dns ( http://www.pythondns.org
Fedora: yum install python-dns
Debian: apt-get install python-dnspython
if a domain contains non-working glue A records, then ssh-keyscan aborts instead
of skipping the single broken entry.
This program can look up hashed hostnames in a known_hosts file if a
recent-enough ssh-keygen is present
sshfp (implies -k -a)
sshfp -a -d (implies -k)
sshfp -k bofh.xelerance.com (from known_hosts)
sshfp -s bofh.xelerance.com (from a scan to the host)
sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com www.openswan.org -o
sshfp -a -d -d xelerance.com -n ns0.xelerance.net >>
(1) and RFC-4255
Paul Wouters <email@example.com>, Jacob Appelbaum
<firstname.lastname@example.org>, James Brown <email@example.com>
Copyright 2006-2010 Xelerance Corporation
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version. See < http://www.fsf.org/copyleft/gpl.txt
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License (file COPYING in the
distribution) for more details.