Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts

under NetBSD.org domain. Multiple TNF hosts have an up-to-date SSHFP record inside the DNS. This offers a second channel verification for host key fingerprints (weaker than known_hosts, but spoofing a host on first connect would also require DNS forgery). This can provide a trusted second channel (like DANE TLSA records) once DNSSEC gets more widely used, but for now it is purely informational. No regression expected, except that the ssh client will print a message upon first connect to confirm/infirm that it got a correct SSHFP record from DNS. Only done for NetBSD.org domain, SSHFP are sadly more an exception than the rule. Notified on netbsd-users@, no objection after a week -- committed.
ozaki-r · Oct 6, 2013 · 4a4d474 · 4a4d474
1 parent 7b1e747
commit 4a4d474
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/crypto/external/bsd/openssh/dist/ssh_config b/crypto/external/bsd/openssh/dist/ssh_config
@@ -1,4 +1,4 @@
-#	$NetBSD: ssh_config,v 1.4 2010/11/21 18:29:49 adam Exp $
+#	$NetBSD: ssh_config,v 1.5 2013/10/06 17:25:34 jym Exp $
 #	$OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
 
 # This is the ssh client system-wide configuration file.  See
@@ -48,3 +48,7 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 # If you use xorg from pkgsrc then uncomment the following line.
 #   XAuthLocation /usr/pkg/bin/xauth
+
+# NetBSD.org DNS provides SSHFP records - use them when possible
+Host *.netbsd.org *.NetBSD.org
+    VerifyHostKeyDNS ask