Deploy360 Domain Name System Security Extensions (DNSSEC)

How To Hack OpenSSH To Add DNSSEC Validation

OpenSSH logoWould you like to have SSH just automagically use DNSSEC to verify the authenticity of the SSH keys you are using to connect to another system?

Over on his blog, Jan-Piet Mens lays out the steps to add exactly this, demonstrating how to add ldns support into OpenSSH. Essentially all you need to do is recompile OpenSSH with the “--with-ldns” option.

To back up a moment and explain a bit more, RFC 4255 defines how to store SSH keys in DNS as SSHFP resource records. With DNSSEC signing all the resource records for a domain, you can now verify the authenticity of those SSH keys with the use of a DNSSEC-validating resolver. This provides a more secure alternative than requiring you to in theory confirm an RSA fingerprint when you are connecting to a server.

So for this all to work, you need to:

  1. Have SSH keys for the target machine stored in DNS as SSHFP resource records.
  2. Have the domain for the target machine signed with DNSSEC.
  3. Compile and install OpenSSH with the ldns option.
  4. Have access to a DNSSEC-validating DNS resolver. (Which could be accomplished by installing DNSSEC-Trigger, for instance, or using a DNSSEC-validating DNS resolver from your ISP if they offer one.)

Once you have done those steps, the beauty of the process is that you are no longer prompted with the message “The authenticity of host ‘____’ can’t be established” with the RSA key and the question about do you really want to connect.

Right now you have to recompile OpenSSH to add the ldns support, but hopefully as DNSSEC becomes increasingly deployed more widely this will just be one of the standard compilation options so that you’ll be able to just go to the command-line and type “ssh” and let it automatically do the DNSSEC validation.

Thanks, Jan-Piet, for writing up these steps!