Muhammad Moinur Rahman, profile picture
Uploaded byMuhammad Moinur Rahman
108 views

Importance of sshfp and configuring sshfp for network devices

SSHFP records provide a secure method of distributing host public keys via DNS. The document discusses: 1) How SSHFP records store fingerprints of host public keys in DNS to validate connections, rather than distributing keys directly. 2) The process of generating fingerprints from router public keys, creating SSHFP records, and configuring DNS to distribute them securely via DNSSEC. 3) How an SSH client can validate connections to a host by looking up its SSHFP records and fingerprints in DNS, preventing man-in-the-middle attacks.

Importance of SSHFP And Configuring SSHFP for Network Devices Muhammad Moinur Rahman moin@bofh.im
SSHFP root@ns:~ # ssh root@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2604:6800:0:162:0:1:0:1)' can't be established. ECDSA key fingerprint is SHA256:AlzRr/ZNFC9fjs89jYAD1o2dFDs4vu3gUVUD7gI2QBk. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? ● Have you ever logged in that host or device ? ● Have you ever checked the public key ? ● Do you know the SHA256 Fingerprint of the ECDSA Public Key? ● 99.9% Sysadmin or Network admin never checks it @ console ● Victm of MITM Atack
SSHFP ● First came up in 2006 ● Defined in RFC 4255 ● Creates a DNS record of type SSHFP ● Distributed by DNS, Verified by DNS lookup and secured by DNSSEC
Previous Usage ● Distributed known_hosts file ● Easily modify ● No access, no verification ● Maybe use a bastion host
known_hosts file pdr.bofh.network ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdH AyNTYAAABBBLGgYTGJQyJFOGAn3C31QG1aw/LQDl+x q+M1pvM6RAW8vGvuaMsS5c23PjcR0zEfsjhKCV33vY hXf7hxshcDZVI= ● Host ● Algorithm ● Public Key
Why SSHFP? ● SSH Public Key size are large to distribute via DNS ● So need the fingerprint ● Fingerprint method – Base64 – sha1/sha256 checksum
What we need? ● Fingerprints of the host ● Proper SSHFP DNS records ● Zone must be DNSSEC signed ● A DNSSEC validator DNS server or ldns support in ssh client ● A SSH client capable to verify DNSSEC validated fingerprint
Fingerprints of the host? root@pdr:~ # ssh-keygen -r pdr.bofh.network pdr.bofh.network IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433
Dissecting Fingerprints ● Hostname ● Record CLASS (Internet) ● Record Type (SSHFP) ● Algorithm – 1 – RSA – 2 – DSA – 3 – ECDSA – 4 – Ed25519 ● Fingerprint TYPE – SHA1 – SHA256 ● Key
Algorithm ● Most modern OS will show all 4 ● Old OS might show only RSA and DSA ● ECDSA and Ed25519 are modern Cryptographic algorithm ● Ed25519 added in RFC7479 ● For ECDSA and Ed25519 we need OpenSSH=>6.7
Distributing via DNS root@pdr:~ # drill -D pdr.bofh.network sshfp ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 60914 ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; pdr.bofh.network. IN SSHFP ;; ANSWER SECTION: pdr.bofh.network. 3599 IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network. 3599 IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network. 3599 IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network. 3599 IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433 pdr.bofh.network. 3599 IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network. 3599 IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network. 3599 IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network. 3599 IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network. 3599 IN RRSIG SSHFP 8 3 3600 20171114225917 20171031212226 15678 dzcrd.net. QBTRbj8xtyEN/9WH/PL39n1mC0XOKmGDj5TzgP/Kkvo7ac3wPwZ92dEcVnKyi1H2e8wP6532NIMjmuveyundnavCCbstOUfFyN17fBuEtHQTJzLmp8XQ7JxDgXbzbp6bvaKrck/XBFbRfk895oI9+Spg09fYkfseN4axEVoscQY= ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 1750 msec ;; EDNS: version 0; flags: do ; udp: 512 ;; SERVER: 127.0.0.1 ;; WHEN: Wed Nov 1 21:35:20 2017 ;; MSG SIZE rcvd: 530
SSHFP Validation with ssh client root@ns:~ # ldd /usr/bin/ssh /usr/bin/ssh: libprivatessh.so.5 => /usr/lib/libprivatessh.so.5 (0x80084f000) libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800aee000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x800e00000) libc.so.7 => /lib/libc.so.7 (0x801269000) libprivateldns.so.5 => /usr/lib/libprivateldns.so.5 (0x801621000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x80187f000) libz.so.6 => /lib/libz.so.6 (0x801a9e000)
If ldns is supported .. ● Need to maintain a trust-anchor ● Run unbound-anchor ● Add to /etc/resolv.conf anchor /etc/unbound/root.key [*BSD] anchor /var/lib/unbound/root.key [Linux]
Else .. ● Run a validating resolver like Unbound server: auto-trust-anchor-file: "/etc/unbound/root.key"
Test ● root@pdr:~$ ssh root@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2003:51:6012:110::9)' can't be established. ECDSA key fingerprint is SHA256:T09/p/ZSubnkraG3oslDMehfIiLRe6UiVn1dGZvtjZE. Are you sure you want to continue connecting (yes/no)? ^C ● root@pdr:~$ ssh -o VerifyHostKeyDNS=yes root@pdr.bofh.network root@pdr:~$
Test Successful ● DNSSEC Validation Works ● SSH login without .known_host works
SSH/SSHFP Demystified ● SSH Creates Public/Private Keys – For Linux/Unix under /etc/ssh/ssh_host_<ALGORITHM>.* – Normally during first run of sshd service – This part is automatic and hidden ● ssh-keygen creates fingerprints for those keys
SSHFP for Network Equipments ● Network Equipments don’t have ssh-keygen command ● Equipments comes with limited subset of ssh ● Configure ssh service for devices preferably version 2 ● Create the public/private keys normally RSA only ● Gather the public key connecting through console or direct point-to-point connectivity ● Generate the Fingerprints for SSHFP records
Configuring Router R1#conf t R1(config)#ip domain-name bofh.network R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1pb6dZ01nHBPZUZXcTxf7swq3NoNc6Geiz9C006YS gCwz47msZn7YGIlPtrhw+GGT2jZo+34xSXekVYV9Cie+e8NI4UgD7b+aXma6aNPGfDN338jAmWBN7SDB sZvLJnjDYndNqRtYXby8uhvzWfGNtPwIZCXgbX+nOTmCR9Ap0iFF4zxzPppwPko41xdyAaOc4qros8aR ocLP8hrEeEz9R7WWZZ5ui/+ya3wa/SFjOZIcnv/7BKl1E5z+CM0OneDUfktw6lEd3hYGr347sz5I4Obj ia3HJ1D3lQKtRcT8zqavdlDyaYZEvYbg4eMp6aSMjJ79BOhhGgiFJ/Mxw7isMikfd6iKisdU+pd3XxQN mNlDywfuRKl9RYfYAVNG3PvOAqzECplh4s5+jl1+SWeKIg3ah7iFv7ddEVdBtaOrCsVxaOJuIMYPioTH aoDNmeOpfZJa/VIqker78bTlIgIGALybnnniFYhAb9ztYJv8g14pmu7cZol3lGg9pa/Qi6sdCAVyizdj 0wsS/s8Sl8VhwoZpxEUs0XQIHEsKP47XpJdmKAWG3vYopWYz7JCRmpwl8+oRCHLL35zV4Em+BO4aH/gt +nRQuEaVFBwaHGbe0A77d4ABIHLWAvuFb4wr+oOGoD57kDolrFYq7IfW/d261+DMr11Ip0kJEncXIgZc
Extracting Key ● Connect with Console ● Connect directly with point to point LAN ● Use show ip ssh – Copy the string starting with “ssh-rsa” and ending till last line ● For remote connection add the key with prompt and verify the keys ● Save the file in a Linux/Unix host with filename like hostname_rsa_key.pub
Using the script #!/usr/local/bin/bash HOST="${1}" if [[ "$1" == "-h" || "$1" == "--help" ]] then echo "Usage: sshfpgen <hostname>" fi for pubkey in *_key.pub do echo "$HOST IN SSHFP 1 1 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum | cut -f 1 -d ' ')" echo "$HOST IN SSHFP 1 2 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum -a 256 | cut -f 1 -d ' ')" done
Running the script root@ns:~ # ./sshfpgen r1.bofh.network r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
Adding to DNS ● Following records were added into the DNS r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b ● DNS Query Test $ dig SSHFP +noadditional +noquestion +nocomments +nocmd +nostats r1.bofh.network r1.bofh.network. 3600 IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network. 3600 IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
Connectivity Test ● Connecting without DNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network The authenticity of host 'r1.bofh.network (192.168.100.100)' can't be established. RSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
Connectivity Test ● Connecting with DNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network Username: ● Also no records will be added in .known_host file
Live Demonstration & Questions

More Related Content

PDF
SSH: Seguranca no Acesso Remoto
byTiago Cruz
 
PDF
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
byMen and Mice
 
PDF
Using Kamailio for Scalability and Security
byFred Posner
 
PDF
Kamailio - SIP Firewall for Carrier Grade Traffic
byDaniel-Constantin Mierla
 
PDF
SIP Attack Handling (Kamailio World 2021)
byFred Posner
 
ODP
SSH Tunnel-Fu [NoVaH 2011]
byVincent Batts
 
ODP
Getting started with RDO Havana
byDan Radez
 
PDF
Da APK al Golden Ticket
byGiuseppe Trotta
 
SSH: Seguranca no Acesso Remoto
byTiago Cruz
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
byMen and Mice
 
Using Kamailio for Scalability and Security
byFred Posner
 
Kamailio - SIP Firewall for Carrier Grade Traffic
byDaniel-Constantin Mierla
 
SIP Attack Handling (Kamailio World 2021)
byFred Posner
 
SSH Tunnel-Fu [NoVaH 2011]
byVincent Batts
 
Getting started with RDO Havana
byDan Radez
 
Da APK al Golden Ticket
byGiuseppe Trotta
 

What's hot

PDF
Ssh cookbook
byJean-Marie Renouard
 
PDF
Python Cryptography & Security
byJose Manuel Ortega Candel
 
PPTX
Configuring ssh on switch
bytcpipguru
 
PDF
Ssh and sshfp dns records v04
byBob Novas
 
PDF
DNSSEC signing Tutorial
byMen and Mice
 
PDF
Packet crafting of2013
byShteryana Shopova
 
PDF
Centralized Logging with syslog
byamiable_indian
 
PDF
Kamailio - Load Balancing Load Balancers
byDaniel-Constantin Mierla
 
PDF
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 
PDF
DNS High-Availability Tools - Open-Source Load Balancing Solutions
byMen and Mice
 
PDF
Advanced open ssh
byDan Kaminsky
 
PDF
Relayd: a load balancer for OpenBSD
byGiovanni Bechis
 
PPT
Fileextraction with suricata
byMrArora Arjuna
 
PDF
Instant DevOps
byFerenc Erki
 
PPTX
Ansible ssh y comandos ad-hoc
byRaul Hugo
 
DOCX
NAS Botnet Revealed - Mining Bitcoin
byDavide Cioccia
 
PDF
Yeti DNS - Experimenting at the root
byMen and Mice
 
PDF
Codified PostgreSQL Schema
bySean Chittenden
 
Ssh cookbook
byJean-Marie Renouard
 
Python Cryptography & Security
byJose Manuel Ortega Candel
 
Configuring ssh on switch
bytcpipguru
 
Ssh and sshfp dns records v04
byBob Novas
 
DNSSEC signing Tutorial
byMen and Mice
 
Packet crafting of2013
byShteryana Shopova
 
Centralized Logging with syslog
byamiable_indian
 
Kamailio - Load Balancing Load Balancers
byDaniel-Constantin Mierla
 
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
byMen and Mice
 
Advanced open ssh
byDan Kaminsky
 
Relayd: a load balancer for OpenBSD
byGiovanni Bechis
 
Fileextraction with suricata
byMrArora Arjuna
 
Instant DevOps
byFerenc Erki
 
Ansible ssh y comandos ad-hoc
byRaul Hugo
 
NAS Botnet Revealed - Mining Bitcoin
byDavide Cioccia
 
Yeti DNS - Experimenting at the root
byMen and Mice
 
Codified PostgreSQL Schema
bySean Chittenden
 

Similar to Importance of sshfp and configuring sshfp for network devices

PDF
An introduction to SSH
bynussbauml
 
PPT
Presentation nix
byfangjiafu
 
PPT
Presentation nix
byfangjiafu
 
PPT
Ssh
bygh02
 
PPT
Secure shell ppt
bysravya raju
 
PDF
SSH - Secure Shell
byPeter R. Egli
 
PDF
OpenSSH: keep your secrets safe
byGiovanni Bechis
 
PDF
IBM Ported Tools for z/OS: OpenSSH User's Guide
byIBM India Smarter Computing
 
PPTX
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
PPTX
SSh_part_1.pptx
byShelly119532
 
PDF
Secure shell(ssh) AND telnet AND CONSOLE
byAmiraMohamedGalal
 
PDF
Open ssh cheet sheat
byPiyush Mittal
 
DOCX
Research and Analysis of SSH
byMatthew Chang
 
PDF
tutorial-ssh.pdf
byNigussMehari4
 
PDF
Windowshadoop
byarunkumar sadhasivam
 
PPT
Bh usa-01-kaminsky
byDan Kaminsky
 
PDF
Service intergration
by재민 장
 
PDF
Dssh @ Confidence, Prague 2010
byJuraj Bednar
 
PDF
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
byadulau
 
PDF
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
An introduction to SSH
bynussbauml
 
Presentation nix
byfangjiafu
 
Presentation nix
byfangjiafu
 
Ssh
bygh02
 
Secure shell ppt
bysravya raju
 
SSH - Secure Shell
byPeter R. Egli
 
OpenSSH: keep your secrets safe
byGiovanni Bechis
 
IBM Ported Tools for z/OS: OpenSSH User's Guide
byIBM India Smarter Computing
 
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
SSh_part_1.pptx
byShelly119532
 
Secure shell(ssh) AND telnet AND CONSOLE
byAmiraMohamedGalal
 
Open ssh cheet sheat
byPiyush Mittal
 
Research and Analysis of SSH
byMatthew Chang
 
tutorial-ssh.pdf
byNigussMehari4
 
Windowshadoop
byarunkumar sadhasivam
 
Bh usa-01-kaminsky
byDan Kaminsky
 
Service intergration
by재민 장
 
Dssh @ Confidence, Prague 2010
byJuraj Bednar
 
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
byadulau
 
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 

More from Muhammad Moinur Rahman

PDF
FreeBSD Portscamp, Kuala Lumpur 2016
byMuhammad Moinur Rahman
 
PDF
FreeBSD and Hardening Web Server
byMuhammad Moinur Rahman
 
PDF
FreeBSD is not Linux
byMuhammad Moinur Rahman
 
PDF
Introduction to SDN
byMuhammad Moinur Rahman
 
PDF
IRR toolset with rpsl
byMuhammad Moinur Rahman
 
PDF
The FreeBSD - PRIMER
byMuhammad Moinur Rahman
 
PDF
Network tips tricks
byMuhammad Moinur Rahman
 
PDF
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 
PDF
Software defined networking: Primer
byMuhammad Moinur Rahman
 
PDF
Blockchain - The future of internet
byMuhammad Moinur Rahman
 
PDF
BGP communities and geotags
byMuhammad Moinur Rahman
 
PDF
Practical Implementation of Large BGP communities with Geotags and Traffic En...
byMuhammad Moinur Rahman
 
PDF
Practical Implementation of BGP Community with Geotags
byMuhammad Moinur Rahman
 
PDF
Introduction to Blockchain
byMuhammad Moinur Rahman
 
FreeBSD Portscamp, Kuala Lumpur 2016
byMuhammad Moinur Rahman
 
FreeBSD and Hardening Web Server
byMuhammad Moinur Rahman
 
FreeBSD is not Linux
byMuhammad Moinur Rahman
 
Introduction to SDN
byMuhammad Moinur Rahman
 
IRR toolset with rpsl
byMuhammad Moinur Rahman
 
The FreeBSD - PRIMER
byMuhammad Moinur Rahman
 
Network tips tricks
byMuhammad Moinur Rahman
 
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 
Software defined networking: Primer
byMuhammad Moinur Rahman
 
Blockchain - The future of internet
byMuhammad Moinur Rahman
 
BGP communities and geotags
byMuhammad Moinur Rahman
 
Practical Implementation of Large BGP communities with Geotags and Traffic En...
byMuhammad Moinur Rahman
 
Practical Implementation of BGP Community with Geotags
byMuhammad Moinur Rahman
 
Introduction to Blockchain
byMuhammad Moinur Rahman
 

Recently uploaded

PPTX
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 
PDF
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
Streamline complex activities with AI PCs featuring AMD Ryzen processors
byPrincipled Technologies
 
PDF
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
PDF
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
PDF
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
PDF
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PDF
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
PDF
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
DOCX
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
PPTX
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
Streamline complex activities with AI PCs featuring AMD Ryzen processors
byPrincipled Technologies
 
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
Transcript: Ready, set, go: Pre-fall sales trends and data-driven insights - ...
byBookNet Canada
 
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 

Importance of sshfp and configuring sshfp for network devices

  • 1.
    Importance of SSHFP And ConfiguringSSHFP for Network Devices Muhammad Moinur Rahman moin@bofh.im
  • 2.
    SSHFP root@ns:~ # sshroot@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2604:6800:0:162:0:1:0:1)' can't be established. ECDSA key fingerprint is SHA256:AlzRr/ZNFC9fjs89jYAD1o2dFDs4vu3gUVUD7gI2QBk. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? ● Have you ever logged in that host or device ? ● Have you ever checked the public key ? ● Do you know the SHA256 Fingerprint of the ECDSA Public Key? ● 99.9% Sysadmin or Network admin never checks it @ console ● Victm of MITM Atack
  • 3.
    SSHFP ● First came upin 2006 ● Defined in RFC 4255 ● Creates a DNS record of type SSHFP ● Distributed by DNS, Verified by DNS lookup and secured by DNSSEC
  • 4.
    Previous Usage ● Distributed known_hostsfile ● Easily modify ● No access, no verification ● Maybe use a bastion host
  • 5.
  • 6.
    Why SSHFP? ● SSH PublicKey size are large to distribute via DNS ● So need the fingerprint ● Fingerprint method – Base64 – sha1/sha256 checksum
  • 7.
    What we need? ● Fingerprintsof the host ● Proper SSHFP DNS records ● Zone must be DNSSEC signed ● A DNSSEC validator DNS server or ldns support in ssh client ● A SSH client capable to verify DNSSEC validated fingerprint
  • 8.
    Fingerprints of thehost? root@pdr:~ # ssh-keygen -r pdr.bofh.network pdr.bofh.network IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433
  • 9.
    Dissecting Fingerprints ● Hostname ● Record CLASS(Internet) ● Record Type (SSHFP) ● Algorithm – 1 – RSA – 2 – DSA – 3 – ECDSA – 4 – Ed25519 ● Fingerprint TYPE – SHA1 – SHA256 ● Key
  • 10.
    Algorithm ● Most modern OSwill show all 4 ● Old OS might show only RSA and DSA ● ECDSA and Ed25519 are modern Cryptographic algorithm ● Ed25519 added in RFC7479 ● For ECDSA and Ed25519 we need OpenSSH=>6.7
  • 11.
    Distributing via DNS root@pdr:~# drill -D pdr.bofh.network sshfp ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 60914 ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; pdr.bofh.network. IN SSHFP ;; ANSWER SECTION: pdr.bofh.network. 3599 IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network. 3599 IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network. 3599 IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network. 3599 IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433 pdr.bofh.network. 3599 IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network. 3599 IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network. 3599 IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network. 3599 IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network. 3599 IN RRSIG SSHFP 8 3 3600 20171114225917 20171031212226 15678 dzcrd.net. QBTRbj8xtyEN/9WH/PL39n1mC0XOKmGDj5TzgP/Kkvo7ac3wPwZ92dEcVnKyi1H2e8wP6532NIMjmuveyundnavCCbstOUfFyN17fBuEtHQTJzLmp8XQ7JxDgXbzbp6bvaKrck/XBFbRfk895oI9+Spg09fYkfseN4axEVoscQY= ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 1750 msec ;; EDNS: version 0; flags: do ; udp: 512 ;; SERVER: 127.0.0.1 ;; WHEN: Wed Nov 1 21:35:20 2017 ;; MSG SIZE rcvd: 530
  • 12.
    SSHFP Validation withssh client root@ns:~ # ldd /usr/bin/ssh /usr/bin/ssh: libprivatessh.so.5 => /usr/lib/libprivatessh.so.5 (0x80084f000) libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800aee000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x800e00000) libc.so.7 => /lib/libc.so.7 (0x801269000) libprivateldns.so.5 => /usr/lib/libprivateldns.so.5 (0x801621000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x80187f000) libz.so.6 => /lib/libz.so.6 (0x801a9e000)
  • 13.
    If ldns issupported .. ● Need to maintain a trust-anchor ● Run unbound-anchor ● Add to /etc/resolv.conf anchor /etc/unbound/root.key [*BSD] anchor /var/lib/unbound/root.key [Linux]
  • 14.
    Else .. ● Run avalidating resolver like Unbound server: auto-trust-anchor-file: "/etc/unbound/root.key"
  • 15.
    Test ● root@pdr:~$ sshroot@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2003:51:6012:110::9)' can't be established. ECDSA key fingerprint is SHA256:T09/p/ZSubnkraG3oslDMehfIiLRe6UiVn1dGZvtjZE. Are you sure you want to continue connecting (yes/no)? ^C ● root@pdr:~$ ssh -o VerifyHostKeyDNS=yes root@pdr.bofh.network root@pdr:~$
  • 16.
    Test Successful ● DNSSECValidation Works ● SSH login without .known_host works
  • 17.
    SSH/SSHFP Demystified ● SSH CreatesPublic/Private Keys – For Linux/Unix under /etc/ssh/ssh_host_<ALGORITHM>.* – Normally during first run of sshd service – This part is automatic and hidden ● ssh-keygen creates fingerprints for those keys
  • 18.
    SSHFP for NetworkEquipments ● Network Equipments don’t have ssh-keygen command ● Equipments comes with limited subset of ssh ● Configure ssh service for devices preferably version 2 ● Create the public/private keys normally RSA only ● Gather the public key connecting through console or direct point-to-point connectivity ● Generate the Fingerprints for SSHFP records
  • 19.
    Configuring Router R1#conf t R1(config)#ipdomain-name bofh.network R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1pb6dZ01nHBPZUZXcTxf7swq3NoNc6Geiz9C006YS gCwz47msZn7YGIlPtrhw+GGT2jZo+34xSXekVYV9Cie+e8NI4UgD7b+aXma6aNPGfDN338jAmWBN7SDB sZvLJnjDYndNqRtYXby8uhvzWfGNtPwIZCXgbX+nOTmCR9Ap0iFF4zxzPppwPko41xdyAaOc4qros8aR ocLP8hrEeEz9R7WWZZ5ui/+ya3wa/SFjOZIcnv/7BKl1E5z+CM0OneDUfktw6lEd3hYGr347sz5I4Obj ia3HJ1D3lQKtRcT8zqavdlDyaYZEvYbg4eMp6aSMjJ79BOhhGgiFJ/Mxw7isMikfd6iKisdU+pd3XxQN mNlDywfuRKl9RYfYAVNG3PvOAqzECplh4s5+jl1+SWeKIg3ah7iFv7ddEVdBtaOrCsVxaOJuIMYPioTH aoDNmeOpfZJa/VIqker78bTlIgIGALybnnniFYhAb9ztYJv8g14pmu7cZol3lGg9pa/Qi6sdCAVyizdj 0wsS/s8Sl8VhwoZpxEUs0XQIHEsKP47XpJdmKAWG3vYopWYz7JCRmpwl8+oRCHLL35zV4Em+BO4aH/gt +nRQuEaVFBwaHGbe0A77d4ABIHLWAvuFb4wr+oOGoD57kDolrFYq7IfW/d261+DMr11Ip0kJEncXIgZc
  • 20.
    Extracting Key ● Connect withConsole ● Connect directly with point to point LAN ● Use show ip ssh – Copy the string starting with “ssh-rsa” and ending till last line ● For remote connection add the key with prompt and verify the keys ● Save the file in a Linux/Unix host with filename like hostname_rsa_key.pub
  • 21.
    Using the script #!/usr/local/bin/bash HOST="${1}" if[[ "$1" == "-h" || "$1" == "--help" ]] then echo "Usage: sshfpgen <hostname>" fi for pubkey in *_key.pub do echo "$HOST IN SSHFP 1 1 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum | cut -f 1 -d ' ')" echo "$HOST IN SSHFP 1 2 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum -a 256 | cut -f 1 -d ' ')" done
  • 22.
    Running the script root@ns:~# ./sshfpgen r1.bofh.network r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
  • 23.
    Adding to DNS ● Followingrecords were added into the DNS r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b ● DNS Query Test $ dig SSHFP +noadditional +noquestion +nocomments +nocmd +nostats r1.bofh.network r1.bofh.network. 3600 IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network. 3600 IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
  • 24.
    Connectivity Test ● Connecting withoutDNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network The authenticity of host 'r1.bofh.network (192.168.100.100)' can't be established. RSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
  • 25.
    Connectivity Test ● Connecting withDNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network Username: ● Also no records will be added in .known_host file
  • 26.