Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts

under NetBSD.org domain. Multiple TNF hosts have an up-to-date SSHFP record inside the DNS. This offers a second channel verification for host key fingerprints (weaker than known_hosts, but spoofing a host on first connect would also require DNS forgery). This can provide a trusted second channel (like DANE TLSA records) once DNSSEC gets more widely used, but for now it is purely informational. No regression expected, except that the ssh client will print a message upon first connect to confirm/infirm that it got a correct SSHFP record from DNS. Only done for NetBSD.org domain, SSHFP are sadly more an exception than the rule. Notified on netbsd-users@, no objection after a week -- committed.
2013-10-06 17:25:34 +00:00 · 2013-10-06 17:25:34 +00:00 · c8b47a469d
parent 8818316ba3
commit c8b47a469d
1 changed files with 5 additions and 1 deletions
--- a/crypto/external/bsd/openssh/dist/ssh_config
+++ b/crypto/external/bsd/openssh/dist/ssh_config
@ -1,4 +1,4 @@
-#	$NetBSD: ssh_config,v 1.4 2010/11/21 18:29:49 adam Exp $
+#	$NetBSD: ssh_config,v 1.5 2013/10/06 17:25:34 jym Exp $
 #	$OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $

 # This is the ssh client system-wide configuration file.  See
@ -48,3 +48,7 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 # If you use xorg from pkgsrc then uncomment the following line.
 #   XAuthLocation /usr/pkg/bin/xauth
+
+# NetBSD.org DNS provides SSHFP records - use them when possible
+Host *.netbsd.org *.NetBSD.org
+    VerifyHostKeyDNS ask