Make ssh’s VerifyHostKeyDNS work on OSX as it should

Finaly there is MacOS X Yosemite.
With it hopefully an update of the default openssh client app i thought. After installing the update i had to admit, i was wrong. Same old OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 as in Maverics. With the same old bug (??) mentioned here, where adding -o VerifyHostKeyDNS=yes leads to

DNS lookup error: general failure
No matching host key fingerprint found in DNS.

That’s not nice. I do want to use SSHFP, partly because i think its a nice feature, partly because i hardly ever check the fingerprints of my hosts.

So lets fix OS X ssh client, shall we.

Key is building a new version of openssh. The easiest way to do so is using Homebrew. So install brew, if you havent allready.
After wards we need to add the ‘brew recipes’ for software thats already on a mac by default. This is done by
brew tap homebrew/dupes.
Half way there, secound step is to build openssh. We’ll build it with a few extra options. Worth to be mentioned is --with-ldns. As Jan-Piet Mens explains in his intresting post VerifyHostKeyDNS=yessssss using ldns is mainly about openssh being able to make sure valid dnssec is used for the record, and therefor not bothering you if there is a valid key as a SSHFP record secured by dnssec.
Openssh is build by
brew install openssh --with-brewed-openssl --with-keychain-support --with-ldns
Afterwards just follow the instructions given by brew:

For complete functionality, please modify:
/System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
and change ProgramArguments from
/usr/bin/ssh-agent
to
#{HOMEBREW_PREFIX}/bin/ssh-agent
Finally, add these lines somewhere to your ~/.bash_profile:
eval $(ssh-agent)
function cleanup {
echo "Killing SSH-Agent"
kill -9 $SSH_AGENT_PID
}
trap cleanup EXIT

\o/ We are done, ssh with -o VerifyHostKeyDNS=yes will work smoothly and hardly ever confirmed known_host-file hashes should be history.

This entry was posted in Technik and tagged , , , , , , , . Bookmark the permalink.

2 Responses to Make ssh’s VerifyHostKeyDNS work on OSX as it should

  1. Marco Davids says:

    Great post, this is what I was looking for, thanks!

  2. Jan says:

    Nice, thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *