Idea: SSHFP Validator

The usage of the SSHFP resource record helps admins to authenticate the SSH server before they are exposing their credentials or before a man-in-the-middle attack occurs. This is only one great extension of DNSSEC (beside DANE whose TLSA records can be used to authenticate HTTPS/SMTPS servers).

While there are some great online tools for checking the mere DNS (1, 2), the correct DNSSEC signing (3, 4), or the placement of TLSA resource records for DANE (5, 6, 7), I have not found an online SSHFP validator. That’s the idea:

[This blogpost is part of a series about DNSSEC. Refer to this structured list for all articles.]

Well, you already got it: We need a webpage that connects to an SSH server to see the public key, while it verifies the SSHFP resource records via DNSSEC. A simple green checkmark should be displayed if the SSHFP is the same as the presented public key.

SSHFP Validator

Here are some ideas how to display more details:

  • Of course, use IPv6 and legacy IP to connect to the server.
  • Display the public key for all used algorithms (RSA, DSA, ECDSA, Ed25519, which requires to connect via all of these algorithms)
  • and the fingerprints for all of them in MD5-hex and SHA256-base64 (this is how OpenSSH displays fingerprints)
  • as well as SHA1-hex and SHA256-hex (this is how SSHFP RRs are used).
  • Verify the DNSSEC signature (AD flag).
  • [Optional] Display the latency and traceroute path so the SSH server.

Since the domain was free, I grabbed it immediately because to my mind this gives a good domain for such an SSHFP validator. ;) And, of course, security must be considered when implementing this script. Proper sanitization must be used, etc.

Master Thesis

Anyone interested in implementing such an online tool? If you are a student and searching for a thesis, please contact me.

Featured image “Lucky Nummer” by Daniele Civello is licensed under CC BY-NC 2.0.

2 thoughts on “Idea: SSHFP Validator

    1. Jein, ich bin mir da nicht so sicher. Es müsste schon etwas an Eigenleistung reingesteckt werden. Je nach dem welcher Kenntnisstand über IP, DNS, DNSSEC und SSH vorhanden ist, kann es also dauern, bis überhaupt der komplette Inhalt kapiert wurde. ;)
      [Ich hatte dieses Jahr zwei Masterarbeiten in einem internationalen Studiengang betreut und war überrascht, wie lange die Jungs gebraucht haben, um sich überhaupt in die Basics einzuarbeiten. Daher bin ich da gerade etwas pessimistischer.]
      Aber ja, für jemanden der aus der Materie kommt wäre es wohl kein Problem, das herunter zu tippen…

Leave a Reply

Your email address will not be published. Required fields are marked *