Module Name: src
Committed By: jym
Date: Sun Oct 6 17:25:34 UTC 2013
Modified Files:
src/crypto/external/bsd/openssh/dist: ssh_config
Log Message:
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.
Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).
This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.
No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.
Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.
Notified on netbsd-users@, no objection after a week -- committed.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssh/dist/ssh_config
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
