Date: Tue, 10 Sep 2013 22:30:23 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r255461 - head/crypto/openssh Message-ID: <201309102230.r8AMUNAm059244@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Tue Sep 10 22:30:22 2013 New Revision: 255461 URL: http://svnweb.freebsd.org/changeset/base/255461 Log: Change the default value of VerifyHostKeyDNS to "yes" if compiled with LDNS. With that setting, OpenSSH will silently accept host keys that match verified SSHFP records. If an SSHFP record exists but could not be verified, OpenSSH will print a message and prompt the user as usual. Approved by: re (blanket) Modified: head/crypto/openssh/readconf.c head/crypto/openssh/ssh_config head/crypto/openssh/ssh_config.5 Modified: head/crypto/openssh/readconf.c ============================================================================== --- head/crypto/openssh/readconf.c Tue Sep 10 22:26:11 2013 (r255460) +++ head/crypto/openssh/readconf.c Tue Sep 10 22:30:22 2013 (r255461) @@ -1435,8 +1435,14 @@ fill_default_options(Options * options) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) options->rekey_limit = 0; +#if HAVE_LDNS + if (options->verify_host_key_dns == -1) + /* automatically trust a verified SSHFP record */ + options->verify_host_key_dns = 1; +#else if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; +#endif if (options->server_alive_interval == -1) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) Modified: head/crypto/openssh/ssh_config ============================================================================== --- head/crypto/openssh/ssh_config Tue Sep 10 22:26:11 2013 (r255460) +++ head/crypto/openssh/ssh_config Tue Sep 10 22:30:22 2013 (r255461) @@ -46,4 +46,5 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com +# VerifyHostKeyDNS yes # VersionAddendum FreeBSD-20130515 Modified: head/crypto/openssh/ssh_config.5 ============================================================================== --- head/crypto/openssh/ssh_config.5 Tue Sep 10 22:26:11 2013 (r255460) +++ head/crypto/openssh/ssh_config.5 Tue Sep 10 22:30:22 2013 (r255461) @@ -1219,7 +1219,10 @@ The argument must be or .Dq ask . The default is -.Dq no . +.Dq yes +if compiled with LDNS and +.Dq no +otherwise. Note that this option applies to protocol version 2 only. .Pp See also
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201309102230.r8AMUNAm059244>