hostkeydns

import "suah.dev/hostkeydns"

Package hostkeydns facilitates verifying remote ssh keys using DNS and SSHFP resource records.

Index

func CheckDNSSecHostKey

func CheckDNSSecHostKey(dr DNSSecResolvers) ssh.HostKeyCallback

CheckDNSSecHostKey checks a hostkey against a DNSSEC SSHFP records.

Example

package main

import (
	"golang.org/x/crypto/ssh"
	"suah.dev/hostkeydns"
)

func main() {
	dnsConf := hostkeydns.DNSSecResolvers{
		Servers: []string{
			"8.8.8.8",
		},
		Port: "53",
		Net:  "tcp",
	}
	config := &ssh.ClientConfig{
		HostKeyCallback: hostkeydns.CheckDNSSecHostKey(dnsConf),
	}
	_, _ = ssh.Dial("tcp", "github.com:22", config)
}

func CheckDNSSecHostKeyEZ

func CheckDNSSecHostKeyEZ(res string) ssh.HostKeyCallback

CheckDNSSecHostKeyEZ checks a hostkey against a DNSSEC SSHFP records using preconfigured name servers. Options are: – “quad9”: https://www.quad9.net/\. – “google”: Google’s public name servers. – “system”: Use the system resolver (*nix only atm).

Example

package main

import (
	"golang.org/x/crypto/ssh"
	"suah.dev/hostkeydns"
)

func main() {
	config := &ssh.ClientConfig{
		HostKeyCallback: hostkeydns.CheckDNSSecHostKeyEZ("quad9"),
	}
	_, _ = ssh.Dial("tcp", "github.com:22", config)
}

type DNSSecResolvers

DNSSecResolvers exposes configuration options for resolving hostnames using DNSSEC. Success will be called when a matching fingerprint/SSHFP match is found. Net can be one of “tcp”, “tcp-tls” or “udp”.

If set, HostKeyAlgorithms will restrict matching to _only_ the algorithms listed. The format of the strings match that of OpenSSH (“ssh-ed25519” for example).

type DNSSecResolvers struct {
    Servers           []string
    Port              string
    Net               string
    Success           func(key ssh.PublicKey)
    HostKeyAlgorithms []string
}

Generated by gomarkdoc

GitHub

View Github