git: 43fd77233cd4 - stable/13 - ssh: default VerifyHostKeyDNS to no, following upstream

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Thu, 02 Mar 2023 03:10:00 UTC
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=43fd77233cd49061839cfdd936cfeba53e9855c3

commit 43fd77233cd49061839cfdd936cfeba53e9855c3
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-02-17 01:26:41 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-03-02 03:09:45 +0000

    ssh: default VerifyHostKeyDNS to no, following upstream
    
    Revert to upstream's default.  Using VerifyHostKeyDNS may depend on a
    trusted nameserver and network path.
    
    This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.
    
    Reported by:    David Leadbeater, G-Research
    Reviewed by:    gordon
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D38648
    
    (cherry picked from commit 41ff5ea22cb95deb9e7415510eb2f5f00b91537a)
---
 crypto/openssh/FREEBSD-upgrade | 1 -
 crypto/openssh/readconf.c      | 6 ------
 crypto/openssh/ssh_config      | 1 -
 crypto/openssh/ssh_config.5    | 5 +----
 4 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
index c8603577a2a2..17161df93316 100644
--- a/crypto/openssh/FREEBSD-upgrade
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -136,7 +136,6 @@
    We've modified some configuration defaults in ssh:
 
       - CheckHostIP defaults to "no".
-      - VerifyHostKeyDNS defaults to "yes" if built with LDNS.
       - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
 
 3) Canonic host names
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 3440d05e4e3b..52c9c47c6879 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -2611,14 +2611,8 @@ fill_default_options(Options * options)
 		options->rekey_limit = 0;
 	if (options->rekey_interval == -1)
 		options->rekey_interval = 0;
-#if HAVE_LDNS
-	if (options->verify_host_key_dns == -1)
-		/* automatically trust a verified SSHFP record */
-		options->verify_host_key_dns = 1;
-#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
-#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 7c7ad542e4ef..2dee303a128e 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -44,5 +44,4 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
-#   VerifyHostKeyDNS yes
 #   VersionAddendum FreeBSD-20220415
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index b642c5a6b17a..d783ea6ff835 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -1994,10 +1994,7 @@ need to confirm new host keys according to the
 .Cm StrictHostKeyChecking
 option.
 The default is
-.Cm yes
-if compiled with LDNS and
-.Cm no
-otherwise.
+.Cm no .
 .Pp
 See also
 .Sx VERIFYING HOST KEYS