git: 41ff5ea22cb9 - main - ssh: default VerifyHostKeyDNS to no, following upstream

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Wed, 01 Mar 2023 14:20:09 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=41ff5ea22cb95deb9e7415510eb2f5f00b91537a

commit 41ff5ea22cb95deb9e7415510eb2f5f00b91537a
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-02-17 01:26:41 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-03-01 14:19:07 +0000

    ssh: default VerifyHostKeyDNS to no, following upstream
    
    Revert to upstream's default.  Using VerifyHostKeyDNS may depend on a
    trusted nameserver and network path.
    
    This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.
    
    Reported by:    David Leadbeater, G-Research
    Reviewed by:    gordon
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D38648
---
 crypto/openssh/FREEBSD-upgrade | 1 -
 crypto/openssh/readconf.c      | 6 ------
 crypto/openssh/ssh_config      | 1 -
 crypto/openssh/ssh_config.5    | 5 +----
 4 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
index bc1122768790..92abda1d0e4c 100644
--- a/crypto/openssh/FREEBSD-upgrade
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -122,7 +122,6 @@
    We've modified some configuration defaults in ssh:
 
       - CheckHostIP defaults to "no".
-      - VerifyHostKeyDNS defaults to "yes" if built with LDNS.
 
 3) Canonic host names
 
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index bbf03c8d953f..9ade0ffa0641 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -2592,14 +2592,8 @@ fill_default_options(Options * options)
 		options->rekey_limit = 0;
 	if (options->rekey_interval == -1)
 		options->rekey_interval = 0;
-#if HAVE_LDNS
-	if (options->verify_host_key_dns == -1)
-		/* automatically trust a verified SSHFP record */
-		options->verify_host_key_dns = 1;
-#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
-#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 306e8f950efd..1eb1c00632b0 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -44,4 +44,3 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
-#   VerifyHostKeyDNS yes
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 153dd9ea4ed8..7c24e12dfdee 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -1991,10 +1991,7 @@ need to confirm new host keys according to the
 .Cm StrictHostKeyChecking
 option.
 The default is
-.Cm yes
-if compiled with LDNS and
-.Cm no
-otherwise.
+.Cm no .
 .Pp
 See also
 .Sx VERIFYING HOST KEYS