Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: src/crypto/external/bsd/openssh/dist

Module Name:    src
Committed By:   jym
Date:           Sun Oct  6 17:25:34 UTC 2013

Modified Files:
        src/crypto/external/bsd/openssh/dist: ssh_config

Log Message:
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under domain.

Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).

This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.

No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.

Only done for domain, SSHFP are sadly more an exception than
the rule.

Notified on netbsd-users@, no objection after a week -- committed.

To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssh/dist/ssh_config

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Home | Main Index | Thread Index | Old Index