git: 00b520a311a9 - 2025Q1 - security/openssh-portable: LDNS: Disable default VerifyHostKeyDNS
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 19 Feb 2025 21:48:00 UTC
The branch 2025Q1 has been updated by bdrewery:
URL: https://cgit.FreeBSD.org/ports/commit/?id=00b520a311a98c3b7749f06df80196c21390cc39
commit 00b520a311a98c3b7749f06df80196c21390cc39
Author: Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2025-02-19 21:33:46 +0000
Commit: Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2025-02-19 21:47:57 +0000
security/openssh-portable: LDNS: Disable default VerifyHostKeyDNS
This follows base 41ff5ea22cb95d which disabled this as the default.
(cherry picked from commit d2522f470441a2389a85e4f694f27cb4ef8f1101)
---
security/openssh-portable/Makefile | 3 +-
security/openssh-portable/files/extra-patch-ldns | 51 ------------------------
2 files changed, 1 insertion(+), 53 deletions(-)
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 6c140b0c056d..d2465b1d7ca9 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openssh
DISTVERSION= 9.9p2
-PORTREVISION= 0
+PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -73,7 +73,6 @@ TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}
LDNS_LIB_DEPENDS= libldns.so:dns/ldns
-LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns
deleted file mode 100644
index 2d06f100c0c0..000000000000
--- a/security/openssh-portable/files/extra-patch-ldns
+++ /dev/null
@@ -1,51 +0,0 @@
-r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
-Changed paths:
- M /head/crypto/openssh/readconf.c
- M /head/crypto/openssh/ssh_config
- M /head/crypto/openssh/ssh_config.5
-
-Change the default value of VerifyHostKeyDNS to "yes" if compiled with
-LDNS. With that setting, OpenSSH will silently accept host keys that
-match verified SSHFP records. If an SSHFP record exists but could not
-be verified, OpenSSH will print a message and prompt the user as usual.
-
---- readconf.c 2013-10-03 08:15:03.496131082 -0500
-+++ readconf.c 2013-10-03 08:15:22.716134315 -0500
-@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
- options->rekey_limit = 0;
- if (options->rekey_interval == -1)
- options->rekey_interval = 0;
-+#if HAVE_LDNS
-+ if (options->verify_host_key_dns == -1)
-+ /* automatically trust a verified SSHFP record */
-+ options->verify_host_key_dns = 1;
-+#else
- if (options->verify_host_key_dns == -1)
- options->verify_host_key_dns = 0;
-+#endif
- if (options->server_alive_interval == -1)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
---- ssh_config 2013-10-03 08:15:03.537131330 -0500
-+++ ssh_config 2013-10-03 08:15:22.755131175 -0500
-@@ -44,5 +44,6 @@
- # TunnelDevice any:any
- # PermitLocalCommand no
- # VisualHostKey no
-+# VerifyHostKeyDNS yes
- # ProxyCommand ssh -q -W %h:%p gateway.example.com
- # RekeyLimit 1G 1h
---- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800
-+++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800
-@@ -1635,7 +1635,10 @@ need to confirm new host keys according
- .Cm StrictHostKeyChecking
- option.
- The default is
--.Cm no .
-+.Cm yes
-+if compiled with LDNS and
-+.Cm no
-+otherwise.
- .Pp
- See also
- .Sx VERIFYING HOST KEYS