The usage of the SSHFP resource record helps admins to authenticate the SSH server before they are exposing their credentials or before a man-in-the-middle attack occurs. This is only one great extension of DNSSEC (beside DANE whose TLSA records can be used to authenticate HTTPS/SMTPS servers).
While there are some great online tools for checking the mere DNS (1, 2), the correct DNSSEC signing (3, 4), or the placement of TLSA resource records for DANE (5, 6, 7), I have not found an online SSHFP validator. That’s the idea:
(This blogpost is part of a series about DNSSEC. Refer to this structured list for all articles.)
Well, you already got it: We need a webpage that connects to an SSH server to see the public key, while it verifies the SSHFP resource records via DNSSEC. A simple green checkmark should be displayed if the SSHFP is the same as the presented public key.
Here are some ideas how to display more details:
- Of course, use IPv6 and legacy IP to connect to the server.
- Display the public key for all used algorithms (RSA, DSA, ECDSA, Ed25519, which requires to connect via all of these algorithms)
- and the fingerprints for all of them in MD5-hex and SHA256-base64 (this is how OpenSSH displays fingerprints)
- as well as SHA1-hex and SHA256-hex (this is how SSHFP RRs are used).
- Verify the DNSSEC signature (AD flag).
- [Optional] Display the latency and traceroute path so the SSH server.
Since the domain sshfp.net was free, I grabbed it immediately because to my mind this gives a good domain for such an SSHFP validator. ;) And, of course, security must be considered when implementing this script. Proper sanitization must be used, etc.
Anyone interested in implementing such an online tool? If you are a student and searching for a thesis, please contact me.