DNS SSHFP (SSH Fingerprint) records are a security feature in the Domain Name System (DNS) that help verify the identity of SSH servers. They store a fingerprint of an SSH server's public key, allowing clients to confirm they're connecting to the legitimate server and not an imposter.
An SSHFP record is a type of DNS record that contains a fingerprint of an SSH server's public key. This fingerprint is a unique identifier for the server's key, enabling clients to verify the server's identity during SSH connections.
For example, if you're connecting to 'ssh.example.com', the SSHFP record for that domain would hold the fingerprint of its SSH public key. This helps ensure that the server you're connecting to is the one you expect, adding a layer of trust to your SSH sessions.
When you initiate an SSH connection, your client can query the DNS for the SSHFP record of the server's domain. The client then compares the fingerprint in the DNS record with the fingerprint of the public key presented by the server.
If the fingerprints match, the client can trust the server's identity. If they don't match, the client may warn you or block the connection, as it could indicate a security risk, such as a man-in-the-middle attack.
Setting up an SSHFP record involves generating the fingerprint of your SSH server's public key using tools like ssh-keygen. For example, running ssh-keygen -r ssh.example.com will output the SSHFP record for the server's public key. You then add this record to your domain's DNS settings, typically in a format like ssh.example.com. IN SSHFP 1 1 abcdef1234567890abcdef1234567890abcdef12. This ensures that clients can use the record to verify your server's identity, enhancing the security of your SSH connections.
Get occasional updates about new features, integrations, and future plans to your inbox.
We will send a confirmation opt-in email to your inbox. Privacy Policy.
