Ssh – Generating SSHFP record from OpenSSH known_hosts file entry

known-hostsssh

I have an entry from an OpenSSH known_hosts file; I'd like to generate an SSHFP resource record for this. I can use ssh-keygen to generate the fingerprint with no difficulty:

$ ssh-keygen -f foo_known_host -l
1040 09:a0:5c:5f:43:fb:e5:25:d8:0c:d8:dc:d7:7a:c4:62 foo.example.com. (RSA)

But it doesn't seem to like it for a DNS fingerprint record:

$  ssh-keygen -f foo_known_host -r foo
failed to read v2 public key from foo_known_host.

So how do I do this?

Note: If you came here via asking a search engine how to generate an SSHFP record from a remote host (not a local copy of the fingerprint as above), that's done via ssh-keyscan -D machine.name –.

Best Answer

ssh-keygen(1) doesn't behave the same way as sshfp(1).

You'll note from the man page that the syntax is:

ssh-keygen -r hostname [-f input_keyfile] [-g]

So the file should be an input_keyfile rather than a known_hosts_file. If you don't specify then it will default to the server's local keys of /etc/ssh/ssh_host_rsa_key.pub and /etc/ssh/ssh_host_dsa_key.pub.

You can either generate the record from each server that you wish to create SSHFP records for with ssh-keygen. Or source sshfp and create them all from one known_hosts file.

Related Solutions

SSH: Possible to forward password authentication to command executed on remote machine

It would be simpler to use ssh-copy-id locally or just use cat to copy the public key to the local authorized_keys. Heres how I did it.

From local, ssh to remote and use `ssh-keygen`` as in your step #1
From local, scp the public key from remote to local file tmp.pub
On local, ``cat tmp.pub >> /home/jimmy/.ssh/authorized_keys

If you append your own public key to the remote user's authorized_keys in step #1, then you can do step #2 without re-entering a password.

Your ssh command ssh-copy-id is executed in a sub-shell on the remote without a tty, so you see the output echoed back to your local, but your local input doesn't get to the remote sub-shell. On my machine (Debian Wheezy) I did:

yba@tavas:~$ ssh localhost ssh localhost
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/yba/.ssh/id_rsa': 
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
yba@tavas:~$

Note the reason that is printed, "Pseudo-terminal will not be allocated because stdin is not a terminal", The result is the same a if you pressed the enter key twice on the remote with no password.

Ssh – generate ssh host keys for clients on puppetmaster

Try to add /usr/bin/env as the first parameter of the generate function:
if generate('/usr/bin/env','/etc/puppet/modules/ssh/scripts/generate_host_keys.sh', $keys_dir) {
Verify that your script returns 0 on exit, non-zero return code will make the parser throw an Error 400

Best Answer

Related Solutions

SSH: Possible to forward password authentication to command executed on remote machine

Ssh – generate ssh host keys for clients on puppetmaster

Related Topic