From owner-svn-src-head@FreeBSD.ORG Tue Sep 10 22:30:24 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 04577310; Tue, 10 Sep 2013 22:30:24 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CB14A22E5; Tue, 10 Sep 2013 22:30:23 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8AMUNTj059250; Tue, 10 Sep 2013 22:30:23 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8AMUNAm059244; Tue, 10 Sep 2013 22:30:23 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201309102230.r8AMUNAm059244@svn.freebsd.org> From: Dag-Erling Smørgrav Date: Tue, 10 Sep 2013 22:30:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r255461 - head/crypto/openssh X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2013 22:30:24 -0000 Author: des Date: Tue Sep 10 22:30:22 2013 New Revision: 255461 URL: http://svnweb.freebsd.org/changeset/base/255461 Log: Change the default value of VerifyHostKeyDNS to "yes" if compiled with LDNS. With that setting, OpenSSH will silently accept host keys that match verified SSHFP records. If an SSHFP record exists but could not be verified, OpenSSH will print a message and prompt the user as usual. Approved by: re (blanket) Modified: head/crypto/openssh/readconf.c head/crypto/openssh/ssh_config head/crypto/openssh/ssh_config.5 Modified: head/crypto/openssh/readconf.c ============================================================================== --- head/crypto/openssh/readconf.c Tue Sep 10 22:26:11 2013 (r255460) +++ head/crypto/openssh/readconf.c Tue Sep 10 22:30:22 2013 (r255461) @@ -1435,8 +1435,14 @@ fill_default_options(Options * options) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) options->rekey_limit = 0; +#if HAVE_LDNS + if (options->verify_host_key_dns == -1) + /* automatically trust a verified SSHFP record */ + options->verify_host_key_dns = 1; +#else if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; +#endif if (options->server_alive_interval == -1) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) Modified: head/crypto/openssh/ssh_config ============================================================================== --- head/crypto/openssh/ssh_config Tue Sep 10 22:26:11 2013 (r255460) +++ head/crypto/openssh/ssh_config Tue Sep 10 22:30:22 2013 (r255461) @@ -46,4 +46,5 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com +# VerifyHostKeyDNS yes # VersionAddendum FreeBSD-20130515 Modified: head/crypto/openssh/ssh_config.5 ============================================================================== --- head/crypto/openssh/ssh_config.5 Tue Sep 10 22:26:11 2013 (r255460) +++ head/crypto/openssh/ssh_config.5 Tue Sep 10 22:30:22 2013 (r255461) @@ -1219,7 +1219,10 @@ The argument must be or .Dq ask . The default is -.Dq no . +.Dq yes +if compiled with LDNS and +.Dq no +otherwise. Note that this option applies to protocol version 2 only. .Pp See also