Module Name: src
Committed By: jym
Date: Sun Oct 6 17:25:34 UTC 2013
Modified Files:
src/crypto/external/bsd/openssh/dist: ssh_config
Log Message:
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.
Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).
This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.
No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.
Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.
Notified on netbsd-users@, no objection after a week -- committed.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssh/dist/ssh_config
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssh/dist/ssh_config
diff -u src/crypto/external/bsd/openssh/dist/ssh_config:1.4 src/crypto/external/bsd/openssh/dist/ssh_config:1.5
--- src/crypto/external/bsd/openssh/dist/ssh_config:1.4 Sun Nov 21 18:29:49 2010
+++ src/crypto/external/bsd/openssh/dist/ssh_config Sun Oct 6 17:25:34 2013
@@ -1,4 +1,4 @@
-# $NetBSD: ssh_config,v 1.4 2010/11/21 18:29:49 adam Exp $
+# $NetBSD: ssh_config,v 1.5 2013/10/06 17:25:34 jym Exp $
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
# This is the ssh client system-wide configuration file. See
@@ -48,3 +48,7 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# If you use xorg from pkgsrc then uncomment the following line.
# XAuthLocation /usr/pkg/bin/xauth
+
+# NetBSD.org DNS provides SSHFP records - use them when possible
+Host *.netbsd.org *.NetBSD.org
+ VerifyHostKeyDNS ask
