diff options
Diffstat (limited to 'security/openssh-portable/files/extra-patch-ldns')
| -rw-r--r-- | security/openssh-portable/files/extra-patch-ldns | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns new file mode 100644 index 000000000000..162d8686a33c --- /dev/null +++ b/security/openssh-portable/files/extra-patch-ldns @@ -0,0 +1,51 @@ +r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines +Changed paths: + M /head/crypto/openssh/readconf.c + M /head/crypto/openssh/ssh_config + M /head/crypto/openssh/ssh_config.5 + +Change the default value of VerifyHostKeyDNS to "yes" if compiled with +LDNS. With that setting, OpenSSH will silently accept host keys that +match verified SSHFP records. If an SSHFP record exists but could not +be verified, OpenSSH will print a message and prompt the user as usual. + +--- readconf.c 2013-10-03 08:15:03.496131082 -0500 ++++ readconf.c 2013-10-03 08:15:22.716134315 -0500 +@@ -1414,8 +1414,14 @@ fill_default_options(Options * options) + options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; ++#if HAVE_LDNS ++ if (options->verify_host_key_dns == -1) ++ /* automatically trust a verified SSHFP record */ ++ options->verify_host_key_dns = 1; ++#else + if (options->verify_host_key_dns == -1) + options->verify_host_key_dns = 0; ++#endif + if (options->server_alive_interval == -1) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) +--- ssh_config 2013-10-03 08:15:03.537131330 -0500 ++++ ssh_config 2013-10-03 08:15:22.755131175 -0500 +@@ -44,5 +44,6 @@ + # TunnelDevice any:any + # PermitLocalCommand no + # VisualHostKey no ++# VerifyHostKeyDNS yes + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h +--- ssh_config.5 2013-10-03 08:15:03.621130815 -0500 ++++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500 +@@ -1246,7 +1246,10 @@ The argument must be + or + .Dq ask . + The default is +-.Dq no . ++.Dq yes ++if compiled with LDNS and ++.Dq no ++otherwise. + Note that this option applies to protocol version 2 only. + .Pp + See also VERIFYING HOST KEYS in |