[Bug 1759] allow display of bubblebabble fingerprint when connecting
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Jun 4 16:08:13 EST 2010
https://bugzilla.mindrot.org/show_bug.cgi?id=1759
--- Comment #2 from Eric Wheeler <ssh at ew.ewheeler.org> ---
Enough people ignore host key finger prints (ahem, I've MITMed a few)
that this is an increasingly important feature that needs to be given
real thought.
It would be great if the option provided some granularity of when to
turn on. For example, when interogated with:
"The authenticity of host '0 (0.0.0.0)' can't be established. [...]
Are you sure you want to continue connecting (yes/no)?
I would want both the Visual and the bubblebabble.
These are the use states that I might want all-or-some-or-no visual
fingerprint verification options:
1. Always
2. When when the authentication method is "X" (ie, password, publickey,
hostbased, gssapi-with-mic, gssapi-keyex, etc.)
3. If the controlling terminal is a TTY
4. When the host is unknown
5. When DISPLAY is defined (ie, running under X)
Perhaps something like:
HostKeyFingerprint
always=babble;tty=babble,visual;password=babble,visual,hex;publickey=none;gssapi-with-mic=babble
Providing the output in the order specified would be great too. For
example,
HostKeyFingerprint tty=babble,hex,visual
would be different than
HostKeyFingerprint tty=visual,babble,hex
People could get cute here too and have external plugins that launch
something on their system that either takes the pubkey as argv[1] or
via stdin:
HostKeyFingerprint
when_using_x=external(/usr/bin/OpenGLkeyVis),babble
I look forward to augmenting my ~/.ssh/config with something like this:
HostKeyFingerprint
tty=babble,hex,visual;using_x=external(/usr/bin/xkeyvis);publickey=none;notty=none;unknown=hex,babble,visual;default=hex,babble,visual
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list