Even with insecure DNS, this is probably better than what you do now, which is to just to choose 'yes' to the following prompt without actually checking: (seriously, do you ever bother?)
The authenticity of host 's0.barwen.ch (192.168.55.55)' can't be established. RSA key fingerprint is 9e:81:ab:cb:2a:ad:26:2f:10:ed:dd:5c:55:dd:ea:58. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
SSH can check
s0
's DNS record to see if a fingerprint is stored there, and tell you if it matches. So lets set that up.I need to add an SSHFP record to the DNS for
s0.barwen.ch
.On host
fubar
(without needing to be root):$ ssh-keygen -r s0.barwen.ch s0.barwen.ch IN SSHFP 1 1 560f08c1687a60e62a65ef427e63698ae1797d6f s0.barwen.ch IN SSHFP 2 1 4ef38fd457d0afec50ca21eacb771f724e6d7236
So those are the records to add to
barwen.ch
's DNS.(btw, vim on my machine doesn't like SSHFP records and highlights everythign red - eww)
Now wait for DNS to settle, and when I connect for the first time, I get a different message (my emphasis).
The authenticity of host 's0.barwen.ch (192.168.55.55)' can't be established. RSA key fingerprint is 9e:81:ab:cb:2a:ad:26:2f:10:ed:dd:5c:55:dd:ea:58. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
Cool.
You might need to set the client option
VerifyHostKeyDNS ask
in your ~/.ssh/config
- if you really trust DNS, you can set it to yes
instead, and it won't even ask you when there's an SSHFP record present.You can try this yourself, even without a user account, because host key verification happens before user authentication:
ssh -o 'VerifyHostKeyDNS ask' s0.barwen.ch