Provided by: sshfp_1.2.2-5_all bug


       sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan


       sshfp [-k <knownhosts_file>] [-d] [-a] | [<host1> [host2 ...]]  sshfp -s [-p <port>] [-d]
       <-a> [-n <nameserver>] <domain1> [domain2] | <host1> [host2 ...] >


       sshfp generates RFC4255 SSHFP DNS records based on the public keys stored in a known_hosts
       file, which implies the user has previously trusted this key, or public keys can be
       obtained by using ssh-keyscan (1). Using ssh-keyscan (1) implies a secure path to connect
       to the hosts being scanned. It also implies a trust in the DNS to obtain the IP address of
       the hostname to be scanned. If the nameserver of the domain allows zone tranfers (AXFR),
       an entire domain can be processed for all its A records.


       -s / --scan <hostname1> [hostname2 ...]
           Scan hosts or domain for public SSH keys using ssh-keyscan

       -k / --knownhosts <knownhosts_file> <hostname1> [hostname2 ...]
           Obtain public SSH keys from a known_hosts file. Defaults to using ~/.ssh/known_hosts

       -a / --all
           Scan all hosts in the known_hosts file when used with -k. When used with -s, it will
           attempt an zone transfer (AXFR) to obtain all A records in the domain specified.

       -d / --trailing-dot
           Add a trailing dot to the hostname in the SSHFP records. It is not possible to
           determine whether a known_hosts or dns query is for a FQDN (eg or
           not (eg www) or not (unless -d domainname -a is used, in which case a trailing dot is
           always appended). Non-FQDN get their domainname appended through /etc/resolv.conf
           These non-FQDN will happen when using a non-FQDN (eg sshfp -k www) or known_hosts
           entries obtained by running ssh www.sub where is implied. When -d is used,
           all hostnames not ending with a dot, that at least contain two parts in their hostname
           (eg www.sub but not www get a trailing dot. Note that the output of sshfp can also
           just be manually editted for trailing dots.

       -o / --output <filename>
           Write to filename instead of stdout

       -p / --port <portnumber>
           Use portnumber for scanning. Note that portnumbers do NOT appear in SSHFP records.

       -h / --help
           Output help information and exit.

       -v / --version
           Output version information and exit.

       -q / --quiet
           Output less miscellany to stderr




       sshfp requires python-dns (

       Fedora: yum install python-dns

       Debian: apt-get install python-dnspython


       if a domain contains non-working glue A records, then ssh-keyscan aborts instead of
       skipping the single broken entry.

       This program can look up hashed hostnames in a known_hosts file if a recent-enough
       ssh-keygen is present


       typical usage:

       sshfp (implies -k -a)

       sshfp -a -d (implies -k)

       sshfp -k (from known_hosts)

       sshfp -s (from a scan to the host)

       sshfp -k ~paul/.ssh/known_hosts -o /tmp/mysshfp.txt

       sshfp -a -d -d -n >> /var/named/primary/


       ssh-keyscan(1) ssh(1) and RFC-4255


       Paul Wouters <>, Jacob Appelbaum <>, James Brown


       Copyright 2006-2010 Xelerance Corporation

       This program is free software; you can redistribute it and/or modify it under the terms of
       the GNU General Public License as published by the Free Software Foundation; either
       version 2 of the License, or (at your option) any later version. See

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License (file COPYING in the distribution) for more details.