svn commit: r255461 - head/crypto/openssh

Dag-Erling Smørgrav des at FreeBSD.org
Tue Sep 10 22:30:24 UTC 2013 

Author: des
Date: Tue Sep 10 22:30:22 2013
New Revision: 255461
URL: http://svnweb.freebsd.org/changeset/base/255461

Log:
  Change the default value of VerifyHostKeyDNS to "yes" if compiled with
  LDNS.  With that setting, OpenSSH will silently accept host keys that
  match verified SSHFP records.  If an SSHFP record exists but could not
  be verified, OpenSSH will print a message and prompt the user as usual.
  
  Approved by:	re (blanket)

Modified:
  head/crypto/openssh/readconf.c
  head/crypto/openssh/ssh_config
  head/crypto/openssh/ssh_config.5

Modified: head/crypto/openssh/readconf.c
==============================================================================
--- head/crypto/openssh/readconf.c	Tue Sep 10 22:26:11 2013	(r255460)
+++ head/crypto/openssh/readconf.c	Tue Sep 10 22:30:22 2013	(r255461)
@@ -1435,8 +1435,14 @@ fill_default_options(Options * options)
 		options->enable_ssh_keysign = 0;
 	if (options->rekey_limit == -1)
 		options->rekey_limit = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
+#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)

Modified: head/crypto/openssh/ssh_config
==============================================================================
--- head/crypto/openssh/ssh_config	Tue Sep 10 22:26:11 2013	(r255460)
+++ head/crypto/openssh/ssh_config	Tue Sep 10 22:30:22 2013	(r255461)
@@ -46,4 +46,5 @@
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   VerifyHostKeyDNS yes
 #   VersionAddendum FreeBSD-20130515

Modified: head/crypto/openssh/ssh_config.5
==============================================================================
--- head/crypto/openssh/ssh_config.5	Tue Sep 10 22:26:11 2013	(r255460)
+++ head/crypto/openssh/ssh_config.5	Tue Sep 10 22:30:22 2013	(r255461)
@@ -1219,7 +1219,10 @@ The argument must be
 or
 .Dq ask .
 The default is
-.Dq no .
+.Dq yes
+if compiled with LDNS and
+.Dq no
+otherwise.
 Note that this option applies to protocol version 2 only.
 .Pp
 See also

More information about the svn-src-all mailing list