52 lines
1.7 KiB
Plaintext
52 lines
1.7 KiB
Plaintext
r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
|
|
Changed paths:
|
|
M /head/crypto/openssh/readconf.c
|
|
M /head/crypto/openssh/ssh_config
|
|
M /head/crypto/openssh/ssh_config.5
|
|
|
|
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
|
|
LDNS. With that setting, OpenSSH will silently accept host keys that
|
|
match verified SSHFP records. If an SSHFP record exists but could not
|
|
be verified, OpenSSH will print a message and prompt the user as usual.
|
|
|
|
--- readconf.c 2013-10-03 08:15:03.496131082 -0500
|
|
+++ readconf.c 2013-10-03 08:15:22.716134315 -0500
|
|
@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
|
|
options->rekey_limit = 0;
|
|
if (options->rekey_interval == -1)
|
|
options->rekey_interval = 0;
|
|
+#if HAVE_LDNS
|
|
+ if (options->verify_host_key_dns == -1)
|
|
+ /* automatically trust a verified SSHFP record */
|
|
+ options->verify_host_key_dns = 1;
|
|
+#else
|
|
if (options->verify_host_key_dns == -1)
|
|
options->verify_host_key_dns = 0;
|
|
+#endif
|
|
if (options->server_alive_interval == -1)
|
|
options->server_alive_interval = 0;
|
|
if (options->server_alive_count_max == -1)
|
|
--- ssh_config 2013-10-03 08:15:03.537131330 -0500
|
|
+++ ssh_config 2013-10-03 08:15:22.755131175 -0500
|
|
@@ -44,5 +44,6 @@
|
|
# TunnelDevice any:any
|
|
# PermitLocalCommand no
|
|
# VisualHostKey no
|
|
+# VerifyHostKeyDNS yes
|
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
# RekeyLimit 1G 1h
|
|
--- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800
|
|
+++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800
|
|
@@ -1635,7 +1635,10 @@ need to confirm new host keys according
|
|
.Cm StrictHostKeyChecking
|
|
option.
|
|
The default is
|
|
-.Cm no .
|
|
+.Cm yes
|
|
+if compiled with LDNS and
|
|
+.Cm no
|
|
+otherwise.
|
|
.Pp
|
|
See also
|
|
.Sx VERIFYING HOST KEYS
|