- jakob@cvs.openbsd.org 2003/11/12 16:39:58

[dns.c dns.h readconf.c ssh_config.5 sshconnect.c] update SSHFP validation. ok markus@
author: Damien Miller <djm@mindrot.org> 2003-11-17 21:19:29 +1100
committer: Damien Miller <djm@mindrot.org> 2003-11-17 21:19:29 +1100
commit: 150b55745b5a0790cfc8d5e6560ab5e7f2f94340 (patch)
tree: a2e1af4415a75cc498ad8ce318607da5cbf273a5 /ssh_config.5
parent: c1f2792bd056dcefef5de55c5cbfdb1f790fd339 (diff)
1 files changed, 18 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 9073ce51f..55ca907eb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.23 2003/10/12 13:12:13 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.24 2003/11/12 16:39:58 jakob Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -642,6 +642,23 @@ host key database instead of
 .It Cm VerifyHostKeyDNS
 Specifies whether to verify the remote key using DNS and SSHFP resource
 records.
+If this option is set to
+.Dq yes ,
+the client will implicitly trust keys that matches a secure fingerprint
+from DNS.
+Insecure fingerprints will be handled as if this option was set to
+.Dq ask .
+If this option is set to
+.Dq ask ,
+information on fingerprint match will be displayed, but the user will still
+need to confirm new host keys according to the
+.Cm StrictHostKeyChecking
+option.
+The argument must be
+.Dq yes ,
+.Dq no
+or  
+.Dq ask  .
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
author	Damien Miller <djm@mindrot.org>	2003-11-17 21:19:29 +1100
committer	Damien Miller <djm@mindrot.org>	2003-11-17 21:19:29 +1100
commit	150b55745b5a0790cfc8d5e6560ab5e7f2f94340 (patch)
tree	a2e1af4415a75cc498ad8ce318607da5cbf273a5 /ssh_config.5
parent	c1f2792bd056dcefef5de55c5cbfdb1f790fd339 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 9073ce51f..55ca907eb 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.23 2003/10/12 13:12:13 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.24 2003/11/12 16:39:58 jakob Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -642,6 +642,23 @@ host key database instead of
642	.It Cm VerifyHostKeyDNS	642	.It Cm VerifyHostKeyDNS
643	Specifies whether to verify the remote key using DNS and SSHFP resource	643	Specifies whether to verify the remote key using DNS and SSHFP resource
644	records.	644	records.
		645	If this option is set to
		646	.Dq yes ,
		647	the client will implicitly trust keys that matches a secure fingerprint
		648	from DNS.
		649	Insecure fingerprints will be handled as if this option was set to
		650	.Dq ask .
		651	If this option is set to
		652	.Dq ask ,
		653	information on fingerprint match will be displayed, but the user will still
		654	need to confirm new host keys according to the
		655	.Cm StrictHostKeyChecking
		656	option.
		657	The argument must be
		658	.Dq yes ,
		659	.Dq no
		660	or
		661	.Dq ask .
645	The default is	662	The default is
646	.Dq no .	663	.Dq no .
647	Note that this option applies to protocol version 2 only.	664	Note that this option applies to protocol version 2 only.