| Summary: | ssh option to prompt for fingerprint input | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Seff <blobnor-bugreports> | ||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | NEW --- | ||||||
| Severity: | enhancement | CC: | djm, plautrba | ||||
| Priority: | P5 | ||||||
| Version: | 5.9p1 | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Bug Depends on: | 1872 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Seff
2013-10-28 10:05:21 AEDT
That's a nice idea though it should probably be under the existing configuration option, e.g. StrictHostKeyChecking=require-fingerprint We should also figure out what we are going to do wrt changing the fingerprint hash, since the two are likely to collide. Damien, that's seems to be a good approach. With many hash, check against all of them. If any match, accept the key. Created attachment 2430 [details] StrictHostKeyChecking=require-fingerprint This patch is based on the patch I've just attached to https://bugzilla.mindrot.org/show_bug.cgi?id=1872 and allows to specify StrictHostKeyChecking=require-fingerprint: $ ssh -o FingerprintType=sha256 -o stricthostkeychecking=require-fingerprint -p 2222 localhost The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. Type the ECDSA key fingerprint from remote host [sha256]: abcd Host key verification failed. $ ssh -o FingerprintType=sha256 -o stricthostkeychecking=require-fingerprint -p 2222 localhost The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. Type the ECDSA key fingerprint from remote host [sha256]: 5b:bc:6c:0a:b2:8d:84:eb:2a:6b:14:92:94:1c:85:b3:82:98:ba:b0:55:fd:2a:61:52:8c:b0:79:49:4b:e7:73 Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts. |