mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-21 18:27:22 +00:00
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that match verified SSHFP records. If an SSHFP record exists but could not be verified, OpenSSH will print a message and prompt the user as usual. Approved by: re (blanket)
This commit is contained in:
parent
9cfa8b3fee
commit
83c6a5242c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=255461
|
@ -1435,8 +1435,14 @@ fill_default_options(Options * options)
|
|||
options->enable_ssh_keysign = 0;
|
||||
if (options->rekey_limit == -1)
|
||||
options->rekey_limit = 0;
|
||||
#if HAVE_LDNS
|
||||
if (options->verify_host_key_dns == -1)
|
||||
/* automatically trust a verified SSHFP record */
|
||||
options->verify_host_key_dns = 1;
|
||||
#else
|
||||
if (options->verify_host_key_dns == -1)
|
||||
options->verify_host_key_dns = 0;
|
||||
#endif
|
||||
if (options->server_alive_interval == -1)
|
||||
options->server_alive_interval = 0;
|
||||
if (options->server_alive_count_max == -1)
|
||||
|
|
|
@ -46,4 +46,5 @@
|
|||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# VerifyHostKeyDNS yes
|
||||
# VersionAddendum FreeBSD-20130515
|
||||
|
|
|
@ -1219,7 +1219,10 @@ The argument must be
|
|||
or
|
||||
.Dq ask .
|
||||
The default is
|
||||
.Dq no .
|
||||
.Dq yes
|
||||
if compiled with LDNS and
|
||||
.Dq no
|
||||
otherwise.
|
||||
Note that this option applies to protocol version 2 only.
|
||||
.Pp
|
||||
See also
|
||||
|
|
Loading…
Reference in a new issue