Documentation ¶
Overview ¶
Package hostkeydns facilitates verifying remote ssh keys using DNS and SSHFP resource records.
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckDNSSecHostKey ¶
func CheckDNSSecHostKey(dr DNSSecResolvers) ssh.HostKeyCallback
CheckDNSSecHostKey checks a hostkey against a DNSSEC SSHFP records.
Example ¶
package main import ( "golang.org/x/crypto/ssh" "suah.dev/hostkeydns" ) func main() { dnsConf := hostkeydns.DNSSecResolvers{ Servers: []string{ "8.8.8.8", }, Port: "53", Net: "tcp", } config := &ssh.ClientConfig{ HostKeyCallback: hostkeydns.CheckDNSSecHostKey(dnsConf), } _, _ = ssh.Dial("tcp", "github.com:22", config) }
Output:
func CheckDNSSecHostKeyEZ ¶
func CheckDNSSecHostKeyEZ(res string) ssh.HostKeyCallback
CheckDNSSecHostKeyEZ checks a hostkey against a DNSSEC SSHFP records using preconfigured name servers. Options are:
- "quad9": https://www.quad9.net/.
- "google": Google's public name servers.
- "system": Use the system resolver (*nix only atm).
Example ¶
package main import ( "golang.org/x/crypto/ssh" "suah.dev/hostkeydns" ) func main() { config := &ssh.ClientConfig{ HostKeyCallback: hostkeydns.CheckDNSSecHostKeyEZ("quad9"), } _, _ = ssh.Dial("tcp", "github.com:22", config) }
Output:
Types ¶
type DNSSecResolvers ¶
type DNSSecResolvers struct { Servers []string Port string Net string Success func(key ssh.PublicKey) HostKeyAlgorithms []string }
DNSSecResolvers exposes configuration options for resolving hostnames using DNSSEC. Success will be called when a matching fingerprint/SSHFP match is found. Net can be one of "tcp", "tcp-tls" or "udp".
If set, HostKeyAlgorithms will restrict matching to _only_ the algorithms listed. The format of the strings match that of OpenSSH ("ssh-ed25519" for example).
Click to show internal directories.
Click to hide internal directories.