SSH Public Key Fingerprint (SSHFP)

An SSH Public Key Fingerprint (SSHFP) record stores the fingerprint of an SSH server’s public host key in the DNS. When a client connects to a server, it can check this record to verify that the host key is authentic.

This record is a critical tool for preventing “Man-in-the-Middle” (MitM) attacks during SSH sessions. Ordinarily, when you connect to a new server, you see a warning: “The authenticity of host can’t be established.” By using SSHFP in conjunction with DNSSEC, the SSH client can automatically verify the server’s identity, allowing for a secure, “zero-touch” connection without manual verification of fingerprints.

Frequently Asked Questions

If your DNS isn’t secured with DNSSEC, an attacker could spoof the SSHFP record just as easily as they could spoof the server. DNSSEC provides the cryptographic proof that the SSHFP record itself hasn’t been tampered with.

Yes. If you re-install the OS or generate new SSH host keys, the fingerprints will change. You must update your DNS records, or your SSH clients will refuse to connect due to a fingerprint mismatch.

Build a high-performance engine. From securing your site with HTTPS and SSL/TLS to building custom REST APIs, our Web Development team ensures your infrastructure is scalable, secure, and future-proof.

Frequently Asked Questions

Why is DNSSEC mandatory for SSHFP to be useful?

Do I need to update SSHFP if I re-install my server?

Let’s amplify your success together!

Newsletter Sign Up