https://github.com/qbit/hostkeydns

Library for verifying remote ssh keys using DNS and SSHFP resource records.
https://github.com/qbit/hostkeydns

Last synced: 4 months ago
JSON representation

Library for verifying remote ssh keys using DNS and SSHFP resource records.

• Host: GitHub
• URL: https://github.com/qbit/hostkeydns
• Owner: qbit
• License: isc
• Created: 2022-02-10T23:20:52.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2022-02-11T15:55:44.000Z (over 4 years ago)
• Last Synced: 2025-07-09T12:08:57.969Z (11 months ago)
• Language: Go
• Size: 7.81 KB
• Stars: 4
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          


# hostkeydns

```go

import "suah.dev/hostkeydns"

```

Package hostkeydns facilitates verifying remote ssh keys using DNS and SSHFP resource records\.

## Index

- [func CheckDNSSecHostKey(dr DNSSecResolvers) ssh.HostKeyCallback](<#func-checkdnssechostkey>)

- [func CheckDNSSecHostKeyEZ(res string) ssh.HostKeyCallback](<#func-checkdnssechostkeyez>)

- [type DNSSecResolvers](<#type-dnssecresolvers>)

## func CheckDNSSecHostKey

```go

func CheckDNSSecHostKey(dr DNSSecResolvers) ssh.HostKeyCallback

```

CheckDNSSecHostKey checks a hostkey against a DNSSEC SSHFP records\.

Example



```go

package main

import (

	"golang.org/x/crypto/ssh"

	"suah.dev/hostkeydns"

)

func main() {

	dnsConf := hostkeydns.DNSSecResolvers{

		Servers: []string{

			"8.8.8.8",

		},

		Port: "53",

		Net:  "tcp",

	}

	config := &ssh.ClientConfig{

		HostKeyCallback: hostkeydns.CheckDNSSecHostKey(dnsConf),

	}

	_, _ = ssh.Dial("tcp", "github.com:22", config)

}

```



## func CheckDNSSecHostKeyEZ

```go

func CheckDNSSecHostKeyEZ(res string) ssh.HostKeyCallback

```

CheckDNSSecHostKeyEZ checks a hostkey against a DNSSEC SSHFP records using preconfigured name servers\. Options are: \- "quad9": https://www.quad9.net/\. \- "google": Google's public name servers\. \- "system": Use the system resolver \(\*nix only atm\)\.

Example



```go

package main

import (

	"golang.org/x/crypto/ssh"

	"suah.dev/hostkeydns"

)

func main() {

	config := &ssh.ClientConfig{

		HostKeyCallback: hostkeydns.CheckDNSSecHostKeyEZ("quad9"),

	}

	_, _ = ssh.Dial("tcp", "github.com:22", config)

}

```



## type DNSSecResolvers

DNSSecResolvers exposes configuration options for resolving hostnames using DNSSEC\. Success will be called when a matching fingerprint/SSHFP match is found\. Net can be one of "tcp"\, "tcp\-tls" or "udp"\.

If set\, HostKeyAlgorithms will restrict matching to \_only\_ the algorithms listed\. The format of the strings match that of OpenSSH \("ssh\-ed25519" for example\)\.

```go

type DNSSecResolvers struct {

    Servers           []string

    Port              string

    Net               string

    Success           func(key ssh.PublicKey)

    HostKeyAlgorithms []string

}

```

Generated by [gomarkdoc]()