What is the SSHFP record?
A Secure Shell Fingerprint (SSHFP) record is a resource record that specifies the SSH keys connected with a host/ domain name. In addition, this provides remote connection log and networking services over an untrusted channel. When a public key is not identified, we use the Secure Shell Fingerprint record. Additionally, it will be kept locally and used for connection validation in the future.
Importance of SSHFP record
If you use SSH, you’re probably aware of the SSH server key distribution issue: the customer requests you to authenticate the fingerprint of the server’s public key the first time you access it. Although unfortunately, most users click to accept before checking anything further, this leaves you open to a man-in-the-middle (MITM) attack. To rule out this possibility, you could check the fingerprint provided at the moment of interaction against the public key provided on the server in the issue.
So, SSHFP is a security standard based on DNSSEC that provides a fundamental workable solution. This gives a means for storing the fingerprint in the Domain Name System (using DNSSEC) and providing access to clients.
What does it contain?
The Three Parts of an SSHFP Record are as follows:
- Fingerprint Type – the message reading algorithm used to generate the fingerprint
- Number Specification Algorithm — the algorithm that was utilized to produce the public key.
- Fingerprint – the fingerprint of the server’s public key.
What is the structure of the SSHFP record
It is really simple and looks as follows:
- TYPE: SSHFP record
- HOST: example.com
- Record Class: IN (It exists 3 main classes: IN (Internet), CH (Chaosnet) and HS (Hesiod))
- Algorithm: 2 (It exist from 0-4 integer value. 0 – Reserved, 1 – RSA, 2 – DSA, 3 – ECDSA, 4 – Ed25519)
- TTL: 1h
- Fingerprint Type: 1 (It exist from 0-2 integer value. 0 – Reserved, 1 – SHA-1 and 2 – SHA-256)
- Points to: 859745561bafedc85697423584123faebdc98751
Let’s review. The purpose of the SSHFP record is simple. They’re a safeguard against people simply entering ‘yes’ when asked if they want to connect to an SSH host whose validity is questionable. Sounds very useful, doesn’t it? So, it’s worth giving it a try and implementing it in your Domain Name System.