Source-Changes-D archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src/crypto/external/bsd/openssh/dist

On Sun, 06 Oct 2013, Jean-Yves Migeon wrote:
Modified Files:
        src/crypto/external/bsd/openssh/dist: ssh_config

Log Message:
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under domain.

Thank you.  I think this is an improvement.

Notified on netbsd-users@, no objection after a week -- committed.

Please discuss such things in the relevant tech-* list (tech-net or
tech-userlevel in this case, I suppose).

+# DNS provides SSHFP records - use them when possible
+Host * *
+    VerifyHostKeyDNS ask

I have been running similar configuration for some time, but with with "VerifyHostKeyDNS yes" (not "ask"), and I have had no problems. The difference between "yes" and "ask" arises only when the ssh client can be sure that the DNS answer was secured by DNSSEC; in such a case, "yes" means accept the result silently, while "ask" means ask the user (the first time). If the DNS answer was not secured by DNSSEC, then both "yes" and "ask" end up asking the user.

By the way, I think that's a bug in ssh that the Host patterns are case sensitive.

--apb (Alan Barrett)

Home | Main Index | Thread Index | Old Index