svn commit: r255461 - head/crypto/openssh
Dag-Erling Smørgrav
des at FreeBSD.org
Tue Sep 10 22:30:24 UTC 2013
Author: des
Date: Tue Sep 10 22:30:22 2013
New Revision: 255461
URL: http://svnweb.freebsd.org/changeset/base/255461
Log:
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
Approved by: re (blanket)
Modified:
head/crypto/openssh/readconf.c
head/crypto/openssh/ssh_config
head/crypto/openssh/ssh_config.5
Modified: head/crypto/openssh/readconf.c
==============================================================================
--- head/crypto/openssh/readconf.c Tue Sep 10 22:26:11 2013 (r255460)
+++ head/crypto/openssh/readconf.c Tue Sep 10 22:30:22 2013 (r255461)
@@ -1435,8 +1435,14 @@ fill_default_options(Options * options)
options->enable_ssh_keysign = 0;
if (options->rekey_limit == -1)
options->rekey_limit = 0;
+#if HAVE_LDNS
+ if (options->verify_host_key_dns == -1)
+ /* automatically trust a verified SSHFP record */
+ options->verify_host_key_dns = 1;
+#else
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+#endif
if (options->server_alive_interval == -1)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
Modified: head/crypto/openssh/ssh_config
==============================================================================
--- head/crypto/openssh/ssh_config Tue Sep 10 22:26:11 2013 (r255460)
+++ head/crypto/openssh/ssh_config Tue Sep 10 22:30:22 2013 (r255461)
@@ -46,4 +46,5 @@
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# VerifyHostKeyDNS yes
# VersionAddendum FreeBSD-20130515
Modified: head/crypto/openssh/ssh_config.5
==============================================================================
--- head/crypto/openssh/ssh_config.5 Tue Sep 10 22:26:11 2013 (r255460)
+++ head/crypto/openssh/ssh_config.5 Tue Sep 10 22:30:22 2013 (r255461)
@@ -1219,7 +1219,10 @@ The argument must be
or
.Dq ask .
The default is
-.Dq no .
+.Dq yes
+if compiled with LDNS and
+.Dq no
+otherwise.
Note that this option applies to protocol version 2 only.
.Pp
See also
More information about the svn-src-all
mailing list