openssh 2021Q1

security/openssh-portable/files/extra-patch-ldns

@@ -0,0 +1,51 @@
+r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
+Changed paths:
+   M /head/crypto/openssh/readconf.c
+   M /head/crypto/openssh/ssh_config
+   M /head/crypto/openssh/ssh_config.5
+
+Change the default value of VerifyHostKeyDNS to "yes" if compiled with
+LDNS.  With that setting, OpenSSH will silently accept host keys that
+match verified SSHFP records.  If an SSHFP record exists but could not
+be verified, OpenSSH will print a message and prompt the user as usual.
+
+--- readconf.c	2013-10-03 08:15:03.496131082 -0500
++++ readconf.c	2013-10-03 08:15:22.716134315 -0500
+@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
+ 		options->rekey_limit = 0;
+ 	if (options->rekey_interval == -1)
+ 		options->rekey_interval = 0;
++#if HAVE_LDNS
++	if (options->verify_host_key_dns == -1)
++		/* automatically trust a verified SSHFP record */
++		options->verify_host_key_dns = 1;
++#else
+ 	if (options->verify_host_key_dns == -1)
+ 		options->verify_host_key_dns = 0;
++#endif
+ 	if (options->server_alive_interval == -1)
+ 		options->server_alive_interval = 0;
+ 	if (options->server_alive_count_max == -1)
+--- ssh_config	2013-10-03 08:15:03.537131330 -0500
++++ ssh_config	2013-10-03 08:15:22.755131175 -0500
+@@ -44,5 +44,6 @@
+ #   TunnelDevice any:any
+ #   PermitLocalCommand no
+ #   VisualHostKey no
++#   VerifyHostKeyDNS yes
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+--- ssh_config.5.orig	2016-12-18 20:59:41.000000000 -0800
++++ ssh_config.5	2017-01-11 11:24:25.573200000 -0800
+@@ -1635,7 +1635,10 @@ need to confirm new host keys according 
+ .Cm StrictHostKeyChecking
+ option.
+ The default is
+-.Cm no .
++.Cm yes
++if compiled with LDNS and
++.Cm no
++otherwise.
+ .Pp
+ See also
+ .Sx VERIFYING HOST KEYS