SSHFP & ssh-keygen

I have been using ssh-keygen to generate ssh fingerprints (SSHFP) for my hosts to add to my dns zone.

There is a small gotcha to using ssh-keygen in this case. You cannot use it to generate the resource records for a remote server. When you think about it using ssh-keygen -r to generate fingerprints (for verification purposes) of an unverified remote host wouldn’t make much sense anyway.

A man ssh-keygen tell us this about the -r switch:

ssh-keygen -r hostname [-f input_keyfile] [-g]

and

     -r hostname
Print the SSHFP fingerprint resource record named hostname for the specified public key file.

This should have been a strong hint but I didn’t catch on.

The ssh-keygen command generates the same fingerprints regardless of the  “hostname”:

$ ssh-keygen -r test
test IN SSHFP 1 1 583446340113eb90e560f891fd3c428dabb48b26
test IN SSHFP 1 2 89d361388f53ba8273022619a1177e8213d355df4f2217337bb1b06c6b40c35a
test IN SSHFP 2 1 bdb5b4f7abb327ab232493de3876e33aa57c5cfe
test IN SSHFP 2 2 1442336c0ff86106257ecb941a9acd8292d274836bbc107a1f5b35b042802c45
$ ssh-keygen -r foobar
foobar IN SSHFP 1 1 583446340113eb90e560f891fd3c428dabb48b26
foobar IN SSHFP 1 2 89d361388f53ba8273022619a1177e8213d355df4f2217337bb1b06c6b40c35a
foobar IN SSHFP 2 1 bdb5b4f7abb327ab232493de3876e33aa57c5cfe
foobar IN SSHFP 2 2 1442336c0ff86106257ecb941a9acd8292d274836bbc107a1f5b35b042802c45

If you do not point ssh-keygen towards a specific key it will fallback to the default location for the system you are running the command on. The “hostname” is just to tell ssh-keygen what to specify as a hostname in the generated result, it does not connect you to the remote host to get the fingerprints.

However if you have the remote host’s public keys somewhere accessible you can point ssh-keygen towards it and generate the fingerprints:

ssh-keygen -r hostname -f /path/to/publickey

More general information about SSHFP can be found in RFC4255.