From c960286445eb68fac5bb495df021d0dcf22ec4de Mon Sep 17 00:00:00 2001
From: des <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 22:30:22 +0000
Subject: Change the default value of VerifyHostKeyDNS to "yes" if compiled
 with LDNS.  With that setting, OpenSSH will silently accept host keys that
 match verified SSHFP records.  If an SSHFP record exists but could not be
 verified, OpenSSH will print a message and prompt the user as usual.

Approved by:	re (blanket)
---
 crypto/openssh/readconf.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'crypto/openssh/readconf.c')

diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 2543d68..c99ea66 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -1435,8 +1435,14 @@ fill_default_options(Options * options)
 		options->enable_ssh_keysign = 0;
 	if (options->rekey_limit == -1)
 		options->rekey_limit = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
+#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
-- 
cgit v1.1