CVS commit: src/crypto/external/bsd/openssh/dist

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/crypto/external/bsd/openssh/dist
From: "Jean-Yves Migeon" <jym%netbsd.org@localhost>
Date: Sun, 6 Oct 2013 17:25:34 +0000

Module Name:    src
Committed By:   jym
Date:           Sun Oct  6 17:25:34 UTC 2013

Modified Files:
        src/crypto/external/bsd/openssh/dist: ssh_config

Log Message:
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.

Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).

This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.

No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.

Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.

Notified on netbsd-users@, no objection after a week -- committed.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssh/dist/ssh_config

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/usr.bin/man
Next by Date: CVS commit: src
Previous by Thread: CVS commit: src/usr.bin/man
Next by Thread: CVS commit: src
Indexes:

Home | Main Index | Thread Index | Old Index