[src/trunk]: src/crypto/external/bsd/openssh/dist Enable VerifyHostKeyDNS (SS...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/crypto/external/bsd/openssh/dist Enable VerifyHostKeyDNS (SS...
From: jym <jym%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 01:22:15 +0000

details:   https://anonhg.NetBSD.org/src/rev/a876c3d5a88e
branches:  trunk
changeset: 790412:a876c3d5a88e
user:      jym <jym%NetBSD.org@localhost>
date:      Sun Oct 06 17:25:34 2013 +0000

description:
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.

Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).

This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.

No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.

Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.

Notified on netbsd-users@, no objection after a week -- committed.

diffstat:

 crypto/external/bsd/openssh/dist/ssh_config |  6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diffs (17 lines):

diff -r ba034617f305 -r a876c3d5a88e crypto/external/bsd/openssh/dist/ssh_config
--- a/crypto/external/bsd/openssh/dist/ssh_config       Sun Oct 06 17:14:49 2013 +0000
+++ b/crypto/external/bsd/openssh/dist/ssh_config       Sun Oct 06 17:25:34 2013 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: ssh_config,v 1.4 2010/11/21 18:29:49 adam Exp $
+#      $NetBSD: ssh_config,v 1.5 2013/10/06 17:25:34 jym Exp $
 #      $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
 
 # This is the ssh client system-wide configuration file.  See
@@ -48,3 +48,7 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 # If you use xorg from pkgsrc then uncomment the following line.
 #   XAuthLocation /usr/pkg/bin/xauth
+
+# NetBSD.org DNS provides SSHFP records - use them when possible
+Host *.netbsd.org *.NetBSD.org
+    VerifyHostKeyDNS ask

Prev by Date: [src/trunk]: src/usr.bin/man add more compression suffixes and local suffixes.
Next by Date: [src/trunk]: src/usr.bin/iconv Save errno around fwrite(), which can otherwis...
Previous by Thread: [src/trunk]: src/usr.bin/man add more compression suffixes and local suffixes.
Next by Thread: [src/trunk]: src/usr.bin/iconv Save errno around fwrite(), which can otherwis...
Indexes:

Home | Main Index | Thread Index | Old Index