SSHFP
   HOME

TheInfoList



Click Here for Items Related To - SSHFP
OR:
SSHFP on:   [Wikipedia]   [Google]   [Amazon]

A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of
resource record The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various informatio ...
in the
Domain Name System The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information ...
(DNS) which identifies
SSH The Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH was designed for Un ...
keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as
DNSSEC The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System ( DNS) in Internet Protocol ( IP) networks. The protoco ...
for a chain of trust to be established.


Structure

; : The name of the object to which the resource record belongs (optional) ; : Time to live (in seconds). Validity of Resource Records (optional) ; : Protocol group to which the resource record belongs (optional) ; : Algorithm (0: reserved, 1: RSA, 2: DSA, 3:
ECDSA In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography. Key and signature sizes As with elliptic-curve cryptography in general, the ...
, 4:
Ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature scheme ...
, 6: Ed448) ; : Algorithm used to
hash Hash, hashes, hash mark, or hashing may refer to: Substances * Hash (food), a coarse mixture of ingredients, often based on minced meat * Hash (stew), a pork and onion-based gravy found in South Carolina * Hash, a nickname for hashish, a canna ...
the public key (0: reserved, 1:
SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States ...
, 2:
SHA-256 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compressi ...
) ; :
Hexadecimal Hexadecimal (also known as base-16 or simply hex) is a Numeral system#Positional systems in detail, positional numeral system that represents numbers using a radix (base) of sixteen. Unlike the decimal system representing numbers using ten symbo ...
representation of the hash result, as text


Example

In this example, the host with the domain name host.
example.com The domain names example.com, example.net, example.org, and example.edu are second-level domain names in the Domain Name System of the Internet. They are reserved by the Internet Assigned Numbers Authority (IANA) at the direction of the Inter ...
 uses a
Ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature scheme ...
key with the
SHA-256 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compressi ...
fingerprint 123456789abcdef67890123456789abcdef67890. This output would be produced by a ssh-keygen -r host.example.com. command on the target server by reading the existing default SSH host key (Ed25519). In newer releases of the OpenSSH suite, ssh-keyscan -D $HOSTNAME can be used to produce a similar result, by connecting to the host over the network.


See also

*
List of DNS record types This list of DNS record types is an overview of resource records (RRs) permissible in zone files of the Domain Name System The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for compu ...


References

{{cite web , url=https://tools.ietf.org/html/rfc8709 , title=RFC 8709 — Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol , date=February 2020 , access-date=2021-10-16 , last1=Harris , first1=Ben , last2=Velvindron , first2=Loganaden Internet Standards Internet protocols DNS record types Key management Secure Shell