Re: CVS commit: src/crypto/external/bsd/openssh/dist

[Alan Barrett <apb%cequrux.com@localhost>]

On Sun, 06 Oct 2013, Jean-Yves Migeon wrote:
> Modified Files:
>         src/crypto/external/bsd/openssh/dist: ssh_config
>
> Log Message:
> Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
> under NetBSD.org domain.

Thank you.  I think this is an improvement.

> Notified on netbsd-users@, no objection after a week -- committed.

Please discuss such things in the relevant tech-* list (tech-net or
tech-userlevel in this case, I suppose).

> +# NetBSD.org DNS provides SSHFP records - use them when possible
> +Host *.netbsd.org *.NetBSD.org
> +    VerifyHostKeyDNS ask

I have been running similar configuration for some time, but 
with with "VerifyHostKeyDNS yes" (not "ask"), and I have had no 
problems.  The difference between "yes" and "ask" arises only when 
the ssh client can be sure that the DNS answer was secured by 
DNSSEC; in such a case, "yes" means accept the result silently, 
while "ask" means ask the user (the first time).  If the DNS 
answer was not secured by DNSSEC, then both "yes" and "ask" end up 
asking the user.

By the way, I think that's a bug in ssh that the Host patterns are 
case sensitive.

--apb (Alan Barrett)