I have an Debian Jessie Server and I would like to verify the SSH HostKey about the DNS SSHFP record. I only provide the ed25519 and rsa algorithm to connect to the server. I have masquerade the server FQDN to kronos.example.local.
I used this commands to generate the fingerprint for the ed25519 algorithm
root@kronos:~# ssh-keygen -r kronos.example.local -f /etc/ssh/ssh_host_ed25519_key
kronos.example.local IN SSHFP 4 1 f6291b4afb2b18cb3042e9dc01bd15efca7f5d5e
kronos.example.local IN SSHFP 4 2 7b2e9286d0969618ccb88d954587ac82f2ad471c34d07d25d91f9905b86f152d
and this one for rsa
root@kronos:~# ssh-keygen -r kronos.example.local -f /etc/ssh/ssh_host_rsa_key
kronos.example.local IN SSHFP 1 1 365f966468f59ed889fb9d94c25f8f6cb858aa7a
kronos.example.local IN SSHFP 1 2 162f0117baae8380427698ba8800bdef36e150e6014f220b568d85445832d050
I used dig to check the records on my client machine.
volker@vm23 ~ $ dig SSHFP kronos.example.local
;; ANSWER SECTION:
kronos.example.local. 600 IN SSHFP 1 2 162F0117BAAE8380427698BA8800BDEF36E150E6014F220B568D8544 5832D050
kronos.example.local. 600 IN SSHFP 4 2 7B2E9286D0969618CCB88D954587AC82F2AD471C34D07D25D91F9905 B86F152D
kronos.example.local. 600 IN SSHFP 4 1 F6291B4AFB2B18CB3042E9DC01BD15EFCA7F5D5E
kronos.example.local. 600 IN SSHFP 1 1 365F966468F59ED889FB9D94C25F8F6CB858AA7A
The SSHFP Record is correct and I add the settings StrictHostKeyChecking and VerifyHostKeyDNS in my ssh config to verify the ssh fingerprint about the SSHFP record.
Host kronos
Hostname kronos.example.local
Port 30
User root
Compression yes
IdentityFile ~/.ssh/ssh.key
PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication no
StrictHostKeyChecking yes
VerifyHostKeyDNS yes
Now, when I want to connect to the Server I get an error, that my ssh-client can't establish an connection because the fingerprint is wrong?
volker@vm23 ~ $ ssh kronos
No ED25519 host key is known for [kronos.example.local]:30 and you have requested strict checking.
Host key verification failed.
Why I get this error, I don't know what I make wrong.
EDIT:
When I flush the known_hosts file and connect again, I get this message with the provided fingerprint.
The authenticity of host '[kronos.example.local]:30 ([192.168.2.100]:30)' can't be established.
ED25519 key fingerprint is SHA256:ey6ShtCWlhjMuI2VRYesgvKtRxw00H0l2R+ZBbhvFS0.
dig
?StrictHostKeyChecking yes
prevents openssh from automatically adding new HostKeys to theknown_hosts
file. You will need to add it toknown_hosts
manually or setStrictHostKeyChecking no
for your first connection. You will then be asked if you want to add it. Afterwards you can set it back toStrictHostKeyChecking yes
.Matching host key fingerprint found in DNS.
when I haveStrictHostKeyChecking no
. When I change it toyes
I can connect with verifying the fingerprint. Thanks!