[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src/crypto/external/bsd/openssh/dist
On Sun, 06 Oct 2013, Jean-Yves Migeon wrote:
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.
Thank you. I think this is an improvement.
Notified on netbsd-users@, no objection after a week -- committed.
Please discuss such things in the relevant tech-* list (tech-net or
tech-userlevel in this case, I suppose).
+# NetBSD.org DNS provides SSHFP records - use them when possible
+Host *.netbsd.org *.NetBSD.org
+ VerifyHostKeyDNS ask
I have been running similar configuration for some time, but
with with "VerifyHostKeyDNS yes" (not "ask"), and I have had no
problems. The difference between "yes" and "ask" arises only when
the ssh client can be sure that the DNS answer was secured by
DNSSEC; in such a case, "yes" means accept the result silently,
while "ask" means ask the user (the first time). If the DNS
answer was not secured by DNSSEC, then both "yes" and "ask" end up
asking the user.
By the way, I think that's a bug in ssh that the Host patterns are
--apb (Alan Barrett)
Main Index |
Thread Index |