'\" t
.\"     Title: sshfp
.\"    Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: January 2, 2015
.\"    Manual: Internet / DNS
.\"    Source: Paul Wouters
.\"  Language: English
.\"
.TH "SSHFP" "1" "January 2, 2015" "Paul Wouters" "Internet / DNS"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
sshfp \- Generate SSHFP DNS records from knownhosts files or ssh\-keyscan
.SH "SYNTAX"
.PP
sshfp [\fB\-k\fR
<\fIknownhosts_file\fR>] [\fB\-d\fR] [\fB\-a\fR] [\fB\-\-type\fR
<algo>] [\fB\-\-digest\fR
<digest>] [<\fIhost1\fR> [\fIhost2 \&.\&.\&.]\fR]
.PP
sshfp
\fB\-s\fR
[\fB\-p\fR
<\fIport\fR>] [\fB\-d\fR] [\fB\-a\fR] [\fB\-\-type\fR
<algo>] [\fB\-\-digest\fR
<digest>] [\fB\-n <nameserver\fR>\fI] <domain1\fR> [\fIdomain2\fR] <\fIhost1\fR> [\fIhost2 \&.\&.\&.\fR] >
.SH "DESCRIPTION"
.PP
sshfp generates RFC\-4255 SSHFP DNS records based on the public keys stored in a known_hosts file, which implies the user has previously trusted this key, or public keys can be obtained by using ssh\-keyscan (1)\&. Using ssh\-keyscan (1) implies a secure path to connect to the hosts being scanned\&. It also implies a trust in the DNS to obtain the IP address of the hostname to be scanned\&. If the nameserver of the domain allows zone transfers (AXFR), an entire domain can be processed for all its A records\&.
.SH "OPTIONS"
.PP
\fB\-s / \-\-scan\fR <\fIhostname1\fR> [hostname2 \&.\&.\&.]
.RS 4
Scan hosts or domain for public SSH keys using ssh\-keyscan
.RE
.PP
\fB\-k / \-\-knownhosts <\fR\fIknownhosts_file\fR\fI> <\fR\fIhostname1\fR\fI> [hostname2 \&.\&.\&.]\fR
.RS 4
Obtain public SSH keys from a known_hosts file\&. Defaults to using ~/\&.ssh/known_hosts
.RE
.PP
\fB\-a / \-\-all\fR
.RS 4
Scan all hosts in the known_hosts file when used with \-k\&. When used with \-s, it will attempt a zone transfer (AXFR) to obtain all A records in the domain specified\&.
.RE
.PP
\fB\-d / \-\-trailing\-dot\fR
.RS 4
Add a trailing dot to the hostname in the SSHFP records\&. It is not possible to determine whether a known_hosts or dns query is for a FQDN (eg www\&.redhat\&.com) or not (eg www) or not (unless \-d domainname \-a is used, in which case a trailing dot is always appended)\&. Non\-FQDN get their domainname appended through /etc/resolv\&.conf These non\-FQDN will happen when using a non\-FQDN (eg sshfp \-k www) or known_hosts entries obtained by running ssh www\&.sub where \&.domain\&.com is implied\&. When \-d is used, all hostnames not ending with a dot, that at least contain two parts in their hostname (eg www\&.sub but not www get a trailing dot\&. Note that the output of sshfp can also just be manually edited for trailing dots\&.
.RE
.PP
\fB\-o / \-\-output\fR <\fIfilename\fR>
.RS 4
Write to filename instead of stdout
.RE
.PP
\fB\-p / \-\-port\fR <\fIportnumber\fR>
.RS 4
Use portnumber for scanning\&. Note that portnumbers do NOT appear in SSHFP records\&.
.RE
.PP
\fB\-h / \-\-help\fR
.RS 4
Output help information and exit\&.
.RE
.PP
\fB\-v / \-\-version\fR
.RS 4
Output version information and exit\&.
.RE
.PP
\fB\-q / \-\-quiet\fR
.RS 4
Output less miscellany to stderr
.RE
.SH "FILES"
.PP
~/\&.ssh/known_hosts
.SH "REQUIREMENTS"
.PP
sshfp requires python\-dns (\m[blue]\fBhttp://www\&.pythondns\&.org\fR\m[])
.PP
Fedora: yum install python\-dns
.PP
Debian: apt\-get install python\-dnspython
.SH "BUGS"
.PP
if a domain contains non\-working glue A records, then ssh\-keyscan aborts instead of skipping the single broken entry\&.
.PP
This program can look up hashed hostnames in a known_hosts file if a recent\-enough ssh\-keygen is present
.SH "EXAMPLES"
.PP
typical usage:
.PP
sshfp (implies \-k \-a)
.PP
sshfp \-a \-d (implies \-k)
.PP
sshfp \-k bofh\&.nohats\&.ca (from known_hosts)
.PP
sshfp \-s bofh\&.nohats\&.ca (from a scan to the host)
.PP
sshfp \-k ~paul/\&.ssh/known_hosts bofh\&.nohats\&.ca www\&.openswan\&.org \-o /tmp/mysshfp\&.txt
.PP
sshfp \-a \-d \-d nohats\&.ca \-n ns0\&.nohats\&.ca >> /var/named/primary/nohats\&.ca
.SH "SEE ALSO"
.PP
\fBssh-keyscan\fR(1)
\fBssh\fR(1)
\fBtlsa\fR(1)
and RFC\-4255
.SH "AUTHORS"
.PP
Paul Wouters <pwouters@redhat\&.com>, Jacob Appelbaum <jacob@appelbaum\&.net>, James Brown <jbrown@yelp\&.com>
.SH "COPYRIGHT"
.PP
Copyright 2006\-2010 Xelerance Corporation
.PP
Copyright 2012 Paul Wouters
.PP
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version\&. See <\m[blue]\fBhttp://www\&.fsf\&.org/copyleft/gpl\&.txt\fR\m[]>\&.
.PP
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License (file COPYING in the distribution) for more details\&.