README
¶
hostkeydns
import "suah.dev/hostkeydns"
Package hostkeydns facilitates verifying remote ssh keys using DNS and SSHFP resource records.
Index
- func CheckDNSSecHostKey(dr DNSSecResolvers) ssh.HostKeyCallback
- func CheckDNSSecHostKeyEZ(res string) ssh.HostKeyCallback
- type DNSSecResolvers
func CheckDNSSecHostKey
func CheckDNSSecHostKey(dr DNSSecResolvers) ssh.HostKeyCallback
CheckDNSSecHostKey checks a hostkey against a DNSSEC SSHFP records.
Example
package main
import (
"golang.org/x/crypto/ssh"
"suah.dev/hostkeydns"
)
func main() {
dnsConf := hostkeydns.DNSSecResolvers{
Servers: []string{
"8.8.8.8",
},
Port: "53",
Net: "tcp",
}
config := &ssh.ClientConfig{
HostKeyCallback: hostkeydns.CheckDNSSecHostKey(dnsConf),
}
_, _ = ssh.Dial("tcp", "github.com:22", config)
}
func CheckDNSSecHostKeyEZ
func CheckDNSSecHostKeyEZ(res string) ssh.HostKeyCallback
CheckDNSSecHostKeyEZ checks a hostkey against a DNSSEC SSHFP records using preconfigured name servers. Options are: - "quad9": https://www.quad9.net/. - "google": Google's public name servers. - "system": Use the system resolver (*nix only atm).
Example
package main
import (
"golang.org/x/crypto/ssh"
"suah.dev/hostkeydns"
)
func main() {
config := &ssh.ClientConfig{
HostKeyCallback: hostkeydns.CheckDNSSecHostKeyEZ("quad9"),
}
_, _ = ssh.Dial("tcp", "github.com:22", config)
}
type DNSSecResolvers
DNSSecResolvers exposes configuration options for resolving hostnames using DNSSEC. Success will be called when a matching fingerprint/SSHFP match is found. Net can be one of "tcp", "tcp-tls" or "udp".
If set, HostKeyAlgorithms will restrict matching to _only_ the algorithms listed. The format of the strings match that of OpenSSH ("ssh-ed25519" for example).
type DNSSecResolvers struct {
Servers []string
Port string
Net string
Success func(key ssh.PublicKey)
HostKeyAlgorithms []string
}
Generated by gomarkdoc
Documentation
¶
Overview ¶
Package hostkeydns facilitates verifying remote ssh keys using DNS and SSHFP resource records.
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckDNSSecHostKey ¶
func CheckDNSSecHostKey(dr DNSSecResolvers) ssh.HostKeyCallback
CheckDNSSecHostKey checks a hostkey against a DNSSEC SSHFP records.
Example ¶
package main
import (
"golang.org/x/crypto/ssh"
"suah.dev/hostkeydns"
)
func main() {
dnsConf := hostkeydns.DNSSecResolvers{
Servers: []string{
"8.8.8.8",
},
Port: "53",
Net: "tcp",
}
config := &ssh.ClientConfig{
HostKeyCallback: hostkeydns.CheckDNSSecHostKey(dnsConf),
}
_, _ = ssh.Dial("tcp", "github.com:22", config)
}
Output:
func CheckDNSSecHostKeyEZ ¶
func CheckDNSSecHostKeyEZ(res string) ssh.HostKeyCallback
CheckDNSSecHostKeyEZ checks a hostkey against a DNSSEC SSHFP records using preconfigured name servers. Options are:
- "quad9": https://www.quad9.net/.
- "google": Google's public name servers.
- "system": Use the system resolver (*nix only atm).
Example ¶
package main
import (
"golang.org/x/crypto/ssh"
"suah.dev/hostkeydns"
)
func main() {
config := &ssh.ClientConfig{
HostKeyCallback: hostkeydns.CheckDNSSecHostKeyEZ("quad9"),
}
_, _ = ssh.Dial("tcp", "github.com:22", config)
}
Output:
Types ¶
type DNSSecResolvers ¶
type DNSSecResolvers struct {
Servers []string
Port string
Net string
Success func(key ssh.PublicKey)
HostKeyAlgorithms []string
}
DNSSecResolvers exposes configuration options for resolving hostnames using DNSSEC. Success will be called when a matching fingerprint/SSHFP match is found. Net can be one of "tcp", "tcp-tls" or "udp".
If set, HostKeyAlgorithms will restrict matching to _only_ the algorithms listed. The format of the strings match that of OpenSSH ("ssh-ed25519" for example).
Source Files