upstream: disable UpdateHostkeys by default if VerifyHostKeyDNS is

enabled; suggested by Mark D. Baushke OpenBSD-Commit-ID: 85a1b88592c81bc85df7ee7787dbbe721a0542bf
2020-10-07 02:18:45 +00:00 · 2020-10-07 02:18:45 +00:00 · e79957e877
parent 3d4c2016ba
commit e79957e877
2 changed files with 9 additions and 6 deletions
--- a/readconf.c
+++ b/readconf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.337 2020/10/03 09:22:26 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.338 2020/10/07 02:18:45 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2168,9 +2168,10 @@ fill_default_options(Options * options)
 		    xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
 	}
 	if (options->update_hostkeys == -1) {
-		if (options->num_user_hostfiles == 0 ||
+		if (options->verify_host_key_dns <= 0 &&
+		    (options->num_user_hostfiles == 0 ||
 		    (options->num_user_hostfiles == 1 && strcmp(options->
-		    user_hostfiles[0], _PATH_SSH_USER_HOSTFILE) == 0))
+		    user_hostfiles[0], _PATH_SSH_USER_HOSTFILE) == 0)))
 			options->update_hostkeys = SSH_UPDATE_HOSTKEYS_YES;
 		else
 			options->update_hostkeys = SSH_UPDATE_HOSTKEYS_NO;
--- a/ssh_config.5
+++ b/ssh_config.5
@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.334 2020/10/03 08:30:47 djm Exp $
-.Dd $Mdocdate: October 3 2020 $
+.\" $OpenBSD: ssh_config.5,v 1.335 2020/10/07 02:18:45 djm Exp $
+.Dd $Mdocdate: October 7 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@ -1723,7 +1723,9 @@ host was already trusted or explicitly accepted by the user.
 .Cm UpdateHostKeys
 is enabled by default if the user has not overridden the default
 .Cm UserKnownHostsFile
-setting, otherwise
+setting and has not enabled
+.Cm VerifyHostKeyDNS ,
+otherwise
 .Cm UpdateHostKeys
 will be set to
 .Cm no .