aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2013-09-10 22:30:22 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2013-09-10 22:30:22 +0000
commit83c6a5242c80160fff76fb85454938761645b0c4 (patch)
treef38c99ce2b414f0d4c266e8e44a6ef9114b9c80a
parent9cfa8b3fee2f79940b0b9e5a4ffbc5f095861529 (diff)
downloadsrc-83c6a5242c80160fff76fb85454938761645b0c4.tar.gz
src-83c6a5242c80160fff76fb85454938761645b0c4.zip
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that match verified SSHFP records. If an SSHFP record exists but could not be verified, OpenSSH will print a message and prompt the user as usual. Approved by: re (blanket)
Notes
Notes: svn path=/head/; revision=255461
-rw-r--r--crypto/openssh/readconf.c6
-rw-r--r--crypto/openssh/ssh_config1
-rw-r--r--crypto/openssh/ssh_config.55
3 files changed, 11 insertions, 1 deletions
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 2543d68cdb6e..c99ea66a7c43 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -1435,8 +1435,14 @@ fill_default_options(Options * options)
options->enable_ssh_keysign = 0;
if (options->rekey_limit == -1)
options->rekey_limit = 0;
+#if HAVE_LDNS
+ if (options->verify_host_key_dns == -1)
+ /* automatically trust a verified SSHFP record */
+ options->verify_host_key_dns = 1;
+#else
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+#endif
if (options->server_alive_interval == -1)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 2917477ba913..67b5d9f2c912 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -46,4 +46,5 @@
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# VerifyHostKeyDNS yes
# VersionAddendum FreeBSD-20130515
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 4cbaee9e4014..4521f4079488 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -1219,7 +1219,10 @@ The argument must be
or
.Dq ask .
The default is
-.Dq no .
+.Dq yes
+if compiled with LDNS and
+.Dq no
+otherwise.
Note that this option applies to protocol version 2 only.
.Pp
See also