Hardening SSH - SSHFP records

18 Nov 2022

The secure shell protocol is used to connect to servers. Often connections are established from admin sites without checking if the server is really the host it pretends to be. Let's change that.

When connecting to a fresh set up server, you may came across this warning:

The authenticity of host 'host.example.org (192.168.1.1) can't be established.
RSA key fingerprint is SHA256:iasJakkkanykksj+99a9jaAacma0dxXDMA0amsp3AGF.
Are you sure you want to continue connecting (yes/no)?

This warning wants to inform you about the state of authenticity. Currently there is no way, for the machine where this request originates, to determine that this is really the server, you want to connect to. Think of it like a certificate warning in your browser, appearing when visiting a website. A common approach is to compare the fingerprints over an already trusted connection to the server. Or, using a more anarchic way, ignoring the warning and just proceed.

A neat way to set up a constant possibility to comfortably verify the authenticity from anywhere is to setup SSHFP records in a registered domain you own. The needed measures and preconditions for setting SSHFP records up are simple:

  1. Own a domain name
  2. Enable DNSSEC
  3. Assign the server a hostname in that domain
  4. Obtain the SSHFP hash from the server
  5. Add the SSHFP record to your domain
  6. Check the connection

While the first three steps should be basic stuff, I'll start with #4. To obtain the hash you need to enter the following command on your server: ssh-keygen -r <hostname>. You'll be greeted with a few entries. The structure with all algorithms is defined in RFC4255, RFC6594, RFC7479 and RFC8709.

For example: If you want to use an Ed25519 algorithm with a SHA-256 hash you would need the entry <FQDN> IN SSHFP 4 2 <hash>. This can then be added to your domain configuration (leaving out the IN SSHFP part, depending on the user interface of your domain provider).

The last step is the verification of your setup. You could connect using ssh with the verbose flag active. This would then yield the needed information: 

...
debug1: Server host key: ssh-ed25519 SHA256:mKaj82Q/A5Ka8BmllABq+nFIo0Ad67+GE3cojkjGjVp4
debug1: found 1 secure fingerprints in DNS
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: matching host key fingerprint found in DNS
...