내 sshfp 레코드가 일치하지 않는 이유는 무엇입니까?

Question

나는 dnssec 영역을 가지고 있으며 sshfp를 사용하여 ssh 키를 게시하려고합니다.

그래서, 열쇠를 갖고 호스트에, 나는 실행

ssh-keygen -r localhost 

결과 나에게주는 :

localhost IN SSHFP 1 1 223458a4e3f4cae23a2365a127a9fc5dbfc4df0b 
localhost IN SSHFP 1 2 cf04e11c129c465e90afc3fc68b0a9c6f256e7c3dc2f0ef0d61557f5848cc2bb 

다음 내 DNSSEC 영역에 배치 (이 올바른 호스트 이름을 분명히) 존을 사임하고 발굴 조사를 확인하십시오. 모든 것이 좋습니다.

stephane@luciole:~$ ssh -v -o VerifyHostKeyDNS=yes host 
    OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014 
    debug1: Reading configuration data /home/stephane/.ssh/config 
    debug1: /home/stephane/.ssh/config line 1: Applying options for host 
    debug1: Reading configuration data /etc/ssh/ssh_config 
    debug1: /etc/ssh/ssh_config line 19: Applying options for * 
    debug1: Connecting to host [2001:16d8:d0:205::5] 
    debug1: Connection established. 
    debug1: identity file /home/stephane/.ssh/id_rsa type 1 
    debug1: identity file /home/stephane/.ssh/id_rsa-cert type -1 
    debug1: identity file /home/stephane/.ssh/id_dsa type -1 
    debug1: identity file /home/stephane/.ssh/id_dsa-cert type -1 
    debug1: identity file /home/stephane/.ssh/id_ecdsa type -1 
    debug1: identity file /home/stephane/.ssh/id_ecdsa-cert type -1 
    debug1: identity file /home/stephane/.ssh/id_ed25519 type -1 
    debug1: identity file /home/stephane/.ssh/id_ed25519-cert type -1 
    debug1: Enabling compatibility mode for protocol 2.0 
    debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Debian-7 
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6 
    debug1: match: OpenSSH_6.6 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000 
    debug1: SSH2_MSG_KEXINIT sent 
    debug1: SSH2_MSG_KEXINIT received 
    debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none 
    debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none 
    debug1: sending SSH2_MSG_KEX_ECDH_INIT 
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY 
    debug1: Server host key: ECDSA 4d:57:c1:77:2d:cf:6b:46:d4:83:24:3c:b7:d4:0d:67 
    debug1: found 4 insecure fingerprints in DNS 
    debug1: mismatching host key fingerprint found in DNS 
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!  @ 
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! 
    Someone could be eavesdropping on you right now (man-in-the-middle attack)! 
    It is also possible that a host key has just been changed. 
    The fingerprint for the ECDSA key sent by the remote host is 
    4d:57:c1:77:2d:cf:6b:46:d4:83:24:3c:b7:d4:0d:67. 
    Please contact your system administrator. 
    Update the SSHFP RR in DNS with the new host key to get rid of this message. 
    debug1: checking without port identifier 
    The authenticity of host '[host] ([2001:16d8:d0:205::5])' can't be established. 
    ECDSA key fingerprint is 4d:57:c1:77:2d:cf:6b:46:d4:83:24:3c:b7:d4:0d:67. 
    No matching host key fingerprint found in DNS. 
    Are you sure you want to continue connecting (yes/no)? 

그래서 왜 데 :

그리고, SSH를 쿼리는 것은 잘못이다라고?

저는 이제 안전한 환경, 서버에 직접 액세스 할 수있는 로컬 네트워크에서 작업하고 있습니다. 가능한 MITM이 없습니다.

Answer 1

dns sshfp를 만들 때 3 개의 ssh 키 (키당 2 개의 sshfp)가있는 반면 4 개의 sshfp RR 만 있다는 것을 알지 못했습니다.

그래서 저는 ssh 디렉토리에서 sshfp를 하나씩 만들어서 생성하고, dns에있는 것과 비교했습니다. 나는 ecdsa 열쇠가없는 것처럼 보였다.

그래서이 키를 사용하여 sshfp를 생성합니다. 영역에 등록하고 서명했습니다. 그 후, VerifyHostKeyDNS와 ssh 연결을 시도했을 때 ssh가 올바른 ssh 지문을 발견했다.

cd /etc/ssh 
ls 
ssh_config 
ssh_dsa_key 
ssh_dsa_key.pub 
... 

ssh-kegen -r host -f ssh_host_ecdsa_key