Deploy360 30 July 2012

How To Hack OpenSSH To Add DNSSEC Validation

By Dan YorkDirector, Internet Technology

OpenSSH logoWould you like to have SSH just automagically use DNSSEC to verify the authenticity of the SSH keys you are using to connect to another system?

Over on his blog, Jan-Piet Mens lays out the steps to add exactly this, demonstrating how to add ldns support into OpenSSH. Essentially all you need to do is recompile OpenSSH with the “--with-ldns” option.

To back up a moment and explain a bit more, RFC 4255 defines how to store SSH keys in DNS as SSHFP resource records. With DNSSEC signing all the resource records for a domain, you can now verify the authenticity of those SSH keys with the use of a DNSSEC-validating resolver. This provides a more secure alternative than requiring you to in theory confirm an RSA fingerprint when you are connecting to a server.

So for this all to work, you need to:

  1. Have SSH keys for the target machine stored in DNS as SSHFP resource records.
  2. Have the domain for the target machine signed with DNSSEC.
  3. Compile and install OpenSSH with the ldns option.
  4. Have access to a DNSSEC-validating DNS resolver. (Which could be accomplished by installing DNSSEC-Trigger, for instance, or using a DNSSEC-validating DNS resolver from your ISP if they offer one.)

Once you have done those steps, the beauty of the process is that you are no longer prompted with the message “The authenticity of host ‘____’ can’t be established” with the RSA key and the question about do you really want to connect.

Right now you have to recompile OpenSSH to add the ldns support, but hopefully as DNSSEC becomes increasingly deployed more widely this will just be one of the standard compilation options so that you’ll be able to just go to the command-line and type “ssh” and let it automatically do the DNSSEC validation.

Thanks, Jan-Piet, for writing up these steps!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...