Change the default value of VerifyHostKeyDNS to "yes" if compiled with

LDNS. With that setting, OpenSSH will silently accept host keys that match verified SSHFP records. If an SSHFP record exists but could not be verified, OpenSSH will print a message and prompt the user as usual. Approved by: re (blanket)
author: des <des@FreeBSD.org> 2013-09-10 22:30:22 +0000
committer: des <des@FreeBSD.org> 2013-09-10 22:30:22 +0000
commit: c960286445eb68fac5bb495df021d0dcf22ec4de (patch)
tree: f38c99ce2b414f0d4c266e8e44a6ef9114b9c80a /crypto/openssh/readconf.c
parent: 2a9ec0fc3edd2edc5766e11fa312e8ab8a128d5f (diff)
download: FreeBSD-src-c960286445eb68fac5bb495df021d0dcf22ec4de.zip
FreeBSD-src-c960286445eb68fac5bb495df021d0dcf22ec4de.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 2543d68..c99ea66 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -1435,8 +1435,14 @@ fill_default_options(Options * options)
 		options->enable_ssh_keysign = 0;
 	if (options->rekey_limit == -1)
 		options->rekey_limit = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
+#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
author	des <des@FreeBSD.org>	2013-09-10 22:30:22 +0000
committer	des <des@FreeBSD.org>	2013-09-10 22:30:22 +0000
commit	c960286445eb68fac5bb495df021d0dcf22ec4de (patch)
tree	f38c99ce2b414f0d4c266e8e44a6ef9114b9c80a /crypto/openssh/readconf.c
parent	2a9ec0fc3edd2edc5766e11fa312e8ab8a128d5f (diff)
download	FreeBSD-src-c960286445eb68fac5bb495df021d0dcf22ec4de.zip FreeBSD-src-c960286445eb68fac5bb495df021d0dcf22ec4de.tar.gz