I added a new server to our hackerspace last week. This new server will be used for research in security. When I was adding the new DNS record when I realized that the previous server had a SSHFP record as well!
I remember that I should use the ssh-keygen command, however, like a normal human being, I forgot which flag to use. A simple search in the manual page says that I should use -r flag, so here we go.
antranigv@srv0:~ % ssh-keygen -r srv0 srv0 IN SSHFP 1 1 785b3fa04870e92bf25f4c7f7092733acf586ffb srv0 IN SSHFP 1 2 847fd4a76ef7dfcef31ac3fa18c139413ab0017fa17014b3884bff161c3364de srv0 IN SSHFP 3 1 8268aa7b8dccf4c0e7881472c72093589ca46b2e srv0 IN SSHFP 3 2 ea0c9f0a50a825f5a0a59cebf8637876970a34000e6e0afd46bf269e08294a88 srv0 IN SSHFP 4 1 2fbe9d0e2ecdbd9dd58576e4683ee70858ca3f25 srv0 IN SSHFP 4 2 a34643bdce1ef3042cdd76fb7e46fcaf108dc436f8fcdb55daf993a27da0654b
All I need to do is to add these into the DNS zone. Luckily I run BIND, so I copy-pastad them into the file, did +1 to the SOA’s serial and done!
Now I can try logging in.
antranigv@zvartnots:~ $ ssh srv0.hackerspace.am -v OpenSSH_9.3p1, OpenSSL 3.1.3 19 Sep 2023 debug1: Reading configuration data /Users/antranigv/.ssh/config debug1: Reading configuration data /Users/antranigv/.ssh/personal […]
debug1: Server host key: ssh-ed25519 SHA256:OCsizTimnJi1grbxSY5LpvpLozfZ2pk+4Jzwg60WKYA debug1: found 6 secure fingerprints in DNS debug1: verify_host_key_dns: matched SSHFP type 4 fptype 1 debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2 debug1: matching host key fingerprint found in DNS
and I logged in properly!