Automatically create SSHFP records on Cloudflare DNS
Just spent a couple of hours writing a script to automatically add SSHFP records to Cloudflare DNS. I'd never used Cloudflare's API before, so it was a useful learning project.
You can get the script from my dotfiles repository.
If you aren't familiar with SSHFP DNS records, they store information about an SSH server's keys in DNS (algorithm, type & fingerprint). Each time you ssh
to the server, its keys are compared to those in DNS and a warning is issued if they don't match.
SSHFP records provide some protection against man-in-the-middle attacks, but I've rarely used them because they are annoying to manually add.
I recommend adding these settings to your ~/.ssh/config
:
Host *
StrictHostKeyChecking accept-new
VerifyHostKeyDNS yes
Run it like this:
❯ sshfp2cf.sh mahoe.xample.nz
info: found ssh keys at mahoe.xample.nz:22
deleting existing sshfp record for mahoe.xample.nz (fd157edccf68b6aa428b88de309b9be5)
deleting existing sshfp record for mahoe.xample.nz (2e7f2084a43c2f45f7ad30cf22fbeea7)
created sshfp record for mahoe.xample.nz (4 1 8f5984bc3111ad935b5c5c717a38d96878ef4a3f)
created sshfp record for mahoe.xample.nz (4 2 e81d784647660a98bb8e2c3e3d16d83d450e135a265c6bbf8ecb823bad8337bc)
And then you can see if it's working like this:
❯ ssh -v mahoe.xample.nz
OpenSSH_9.0p1, LibreSSL 3.3.6
[...]
debug1: Server host key: ssh-ed25519 SHA256:6B14RkdmCpi7jiw+PRbYPUUOE1omXGu/jsuCO62DN7w
debug1: found 2 insecure fingerprints in DNS
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 1
debug1: verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: matching host key fingerprint found in DNS
[...]
Linux mahoe 6.1.0-2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.7-1 (2023-01-18) x86_64
Hope it might be useful to someone else.