1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<!-- lifted from troff+man by doclifter -->
<refentry id='sshfp1'>
<refentryinfo><date>April 12, 2011</date></refentryinfo>
<refmeta>
<refentrytitle>sshfp</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class='date'>April 12, 2011</refmiscinfo>
<refmiscinfo class='source'>Paul Wouters</refmiscinfo>
<refmiscinfo class='manual'>Internet / DNS</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>sshfp</refname>
<refpurpose>Generate SSHFP DNS records from knownhosts files or ssh-keyscan</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsect1 id='syntax'><title>SYNTAX</title>
<para>sshfp [<option>-k</option> <<emphasis remap='I'>knownhosts_file</emphasis>>] [<option>-d</option>] [<option>-a</option>] | [<<emphasis remap='I'>host1</emphasis>> [<emphasis remap='I'>host2 ...]</emphasis>]
<!-- .br -->
sshfp <option>-s</option> [<option>-p</option> <<emphasis remap='I'>port</emphasis>>] [<option>-d</option>] <<option>-a</option>> [<option>-n <nameserver</option>><emphasis remap='P->I'>] <domain1</emphasis>> [<emphasis remap='I'>domain2</emphasis>] | <<emphasis remap='I'>host1</emphasis>> [<emphasis remap='I'>host2 ...</emphasis>] ></para>
</refsect1>
<refsect1 id='description'><title>DESCRIPTION</title>
<para>sshfp generates RFC4255 SSHFP DNS records based on the public keys
stored in a known_hosts file, which implies the user has
previously trusted this key, or public keys can be obtained
by using ssh-keyscan (1). Using ssh-keyscan (1) implies a secure path to connect to the hosts being scanned.
It also implies a trust in the DNS to obtain the IP address of
the hostname to be scanned. If the nameserver of the domain allows zone tranfers (AXFR), an entire domain can be processed for all its A records.</para>
</refsect1>
<refsect1 id='options'><title>OPTIONS</title>
<variablelist remap='TP'>
<varlistentry>
<term><option>-s / --scan</option> <<emphasis remap='I'>hostname1</emphasis>> [hostname2 ...]</term>
<listitem>
<para>Scan hosts or domain for public SSH keys using ssh-keyscan</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-k / --knownhosts <</option><emphasis remap='I'>knownhosts_file</emphasis><emphasis remap='P->B'>> <</emphasis><emphasis remap='I'>hostname1</emphasis><emphasis remap='P->B'>> [hostname2 ...]</emphasis></term>
<listitem>
<para>Obtain public SSH keys from a known_hosts file. Defaults to using ~/.ssh/known_hosts</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-a / --all</option></term>
<listitem>
<para>Scan all hosts in the known_hosts file when used with -k. When used with -s, it will attempt an zone transfer (AXFR) to obtain all A records in the domain specified.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-d / --trailing-dot</option></term>
<listitem>
<para>Add a trailing dot to the hostname in the SSHFP records. It is not possible
to determine whether a known_hosts or dns query is for a FQDN (eg www.xelerance.com)
or not (eg www) or not (unless -d domainname -a is used, in which case a trailing dot
is always appended). Non-FQDN get their domainname appended through /etc/resolv.conf
These non-FQDN will happen when using a non-FQDN (eg sshfp -k www)
or known_hosts entries obtained by running ssh www.sub where .domain.com is implied.
When -d is used, all hostnames not ending with a dot, that at least contain two parts
in their hostname (eg www.sub but not www get a trailing dot. Note that the output of
sshfp can also just be manually editted for trailing dots.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-o / --output</option> <<emphasis remap='I'>filename</emphasis>></term>
<listitem>
<para>Write to filename instead of stdout</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-p / --port</option> <<emphasis remap='I'>portnumber</emphasis>></term>
<listitem>
<para>Use portnumber for scanning. Note that portnumbers do NOT appear in SSHFP records.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-h / --help</option></term>
<listitem>
<para>Output help information and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-v / --version</option></term>
<listitem>
<para>Output version information and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-q / --quiet</option></term>
<listitem>
<para>Output less miscellany to stderr</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='files'><title>FILES</title>
<para><filename>~/.ssh/known_hosts</filename></para>
</refsect1>
<refsect1 id='requirements'><title>REQUIREMENTS</title>
<para>sshfp requires python-dns (<ulink url='http://www.pythondns.org'>http://www.pythondns.org</ulink>)</para>
<para>Fedora: yum install python-dns</para>
<para>Debian: apt-get install python-dnspython</para>
</refsect1>
<refsect1 id='bugs'><title>BUGS</title>
<para>if a domain contains non-working glue A records, then ssh-keyscan aborts instead of skipping the single broken entry.</para>
<para>This program can look up hashed hostnames in a known_hosts file if a recent-enough ssh-keygen is present</para>
</refsect1>
<refsect1 id='examples'><title>EXAMPLES</title>
<para>typical usage:</para>
<para>sshfp (implies -k -a)</para>
<para>sshfp -a -d (implies -k)</para>
<para>sshfp -k bofh.xelerance.com (from known_hosts)</para>
<para>sshfp -s bofh.xelerance.com (from a scan to the host)</para>
<para>sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com www.openswan.org -o /tmp/mysshfp.txt</para>
<para>sshfp -a -d -d xelerance.com -n ns0.xelerance.net >> /var/named/primary/xelerance.com</para>
</refsect1>
<refsect1 id='see_also'><title>SEE ALSO</title>
<para><citerefentry><refentrytitle>ssh-keyscan</refentrytitle><manvolnum>1</manvolnum></citerefentry> <citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> and RFC-4255</para>
<para><ulink url='http://www.xelerance.com/software/sshfp/'>http://www.xelerance.com/software/sshfp/</ulink></para>
<para><ulink url='http://lists.xelerance.com/mailman/listinfo/sshfp/'>http://lists.xelerance.com/mailman/listinfo/sshfp/</ulink></para>
</refsect1>
<refsect1 id='authors'><title>AUTHORS</title>
<para>Paul Wouters <paul@xelerance.com>, Jacob Appelbaum <jacob@appelbaum.net>, James Brown <jbrown@yelp.com></para>
</refsect1>
<refsect1 id='copyright'><title>COPYRIGHT</title>
<para>Copyright 2006-2010 Xelerance Corporation</para>
<para>This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <<ulink url='http://www.fsf.org/copyleft/gpl.txt'>http://www.fsf.org/copyleft/gpl.txt</ulink>>.</para>
<para>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License (file COPYING in the distribution) for more details.</para>
</refsect1>
</refentry>
|