On Sun, 06 Oct 2013, Jean-Yves Migeon wrote:
Modified Files: src/crypto/external/bsd/openssh/dist: ssh_configLog Message: Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts under NetBSD.org domain.
Thank you. I think this is an improvement.
Notified on netbsd-users@, no objection after a week -- committed.
Please discuss such things in the relevant tech-* list (tech-net or tech-userlevel in this case, I suppose).
+# NetBSD.org DNS provides SSHFP records - use them when possible +Host *.netbsd.org *.NetBSD.org + VerifyHostKeyDNS ask
I have been running similar configuration for some time, but with with "VerifyHostKeyDNS yes" (not "ask"), and I have had no problems. The difference between "yes" and "ask" arises only when the ssh client can be sure that the DNS answer was secured by DNSSEC; in such a case, "yes" means accept the result silently, while "ask" means ask the user (the first time). If the DNS answer was not secured by DNSSEC, then both "yes" and "ask" end up asking the user.
By the way, I think that's a bug in ssh that the Host patterns are case sensitive.
--apb (Alan Barrett)
