diff options
author | des <des@FreeBSD.org> | 2013-09-10 22:30:22 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2013-09-10 22:30:22 +0000 |
commit | c960286445eb68fac5bb495df021d0dcf22ec4de (patch) | |
tree | f38c99ce2b414f0d4c266e8e44a6ef9114b9c80a /crypto/openssh/readconf.c | |
parent | 2a9ec0fc3edd2edc5766e11fa312e8ab8a128d5f (diff) | |
download | FreeBSD-src-c960286445eb68fac5bb495df021d0dcf22ec4de.zip FreeBSD-src-c960286445eb68fac5bb495df021d0dcf22ec4de.tar.gz |
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
Approved by: re (blanket)
Diffstat (limited to 'crypto/openssh/readconf.c')
-rw-r--r-- | crypto/openssh/readconf.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index 2543d68..c99ea66 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -1435,8 +1435,14 @@ fill_default_options(Options * options) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) options->rekey_limit = 0; +#if HAVE_LDNS + if (options->verify_host_key_dns == -1) + /* automatically trust a verified SSHFP record */ + options->verify_host_key_dns = 1; +#else if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; +#endif if (options->server_alive_interval == -1) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) |