[Bug 1759] allow display of bubblebabble fingerprint when connecting

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jun 4 16:08:13 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1759

--- Comment #2 from Eric Wheeler <ssh at ew.ewheeler.org>  ---
Enough people ignore host key finger prints (ahem, I've MITMed a few)
that this is an increasingly important feature that needs to be given
real thought.

It would be great if the option provided some granularity of when to
turn on.  For example, when interogated with:

 "The authenticity of host '0 (0.0.0.0)' can't be established. [...]
Are you sure you want to continue connecting (yes/no)? 

I would want both the Visual and the bubblebabble.  

These are the use states that I might want all-or-some-or-no visual
fingerprint verification options:

1. Always
2. When when the authentication method is "X" (ie, password, publickey,
hostbased, gssapi-with-mic, gssapi-keyex, etc.)
3. If the controlling terminal is a TTY
4. When the host is unknown
5. When DISPLAY is defined (ie, running under X)

Perhaps something like:
  HostKeyFingerprint
always=babble;tty=babble,visual;password=babble,visual,hex;publickey=none;gssapi-with-mic=babble

Providing the output in the order specified would be great too.  For
example,
  HostKeyFingerprint   tty=babble,hex,visual 
would be different than
  HostKeyFingerprint   tty=visual,babble,hex

People could get cute here too and have external plugins that launch
something on their system that either takes the pubkey as argv[1] or
via stdin:
   HostKeyFingerprint
when_using_x=external(/usr/bin/OpenGLkeyVis),babble

I look forward to augmenting my ~/.ssh/config with something like this:

  HostKeyFingerprint  
tty=babble,hex,visual;using_x=external(/usr/bin/xkeyvis);publickey=none;notty=none;unknown=hex,babble,visual;default=hex,babble,visual

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list