git: 43fd77233cd4 - stable/13 - ssh: default VerifyHostKeyDNS to no, following upstream
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 02 Mar 2023 03:10:00 UTC
The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=43fd77233cd49061839cfdd936cfeba53e9855c3 commit 43fd77233cd49061839cfdd936cfeba53e9855c3 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-02-17 01:26:41 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-03-02 03:09:45 +0000 ssh: default VerifyHostKeyDNS to no, following upstream Revert to upstream's default. Using VerifyHostKeyDNS may depend on a trusted nameserver and network path. This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4. Reported by: David Leadbeater, G-Research Reviewed by: gordon Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38648 (cherry picked from commit 41ff5ea22cb95deb9e7415510eb2f5f00b91537a) --- crypto/openssh/FREEBSD-upgrade | 1 - crypto/openssh/readconf.c | 6 ------ crypto/openssh/ssh_config | 1 - crypto/openssh/ssh_config.5 | 5 +---- 4 files changed, 1 insertion(+), 12 deletions(-) diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index c8603577a2a2..17161df93316 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -136,7 +136,6 @@ We've modified some configuration defaults in ssh: - CheckHostIP defaults to "no". - - VerifyHostKeyDNS defaults to "yes" if built with LDNS. - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 3) Canonic host names diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index 3440d05e4e3b..52c9c47c6879 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -2611,14 +2611,8 @@ fill_default_options(Options * options) options->rekey_limit = 0; if (options->rekey_interval == -1) options->rekey_interval = 0; -#if HAVE_LDNS - if (options->verify_host_key_dns == -1) - /* automatically trust a verified SSHFP record */ - options->verify_host_key_dns = 1; -#else if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; -#endif if (options->server_alive_interval == -1) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config index 7c7ad542e4ef..2dee303a128e 100644 --- a/crypto/openssh/ssh_config +++ b/crypto/openssh/ssh_config @@ -44,5 +44,4 @@ # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h # UserKnownHostsFile ~/.ssh/known_hosts.d/%k -# VerifyHostKeyDNS yes # VersionAddendum FreeBSD-20220415 diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index b642c5a6b17a..d783ea6ff835 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -1994,10 +1994,7 @@ need to confirm new host keys according to the .Cm StrictHostKeyChecking option. The default is -.Cm yes -if compiled with LDNS and -.Cm no -otherwise. +.Cm no . .Pp See also .Sx VERIFYING HOST KEYS