[Bug 2493] Accept host key fingerprint as the same as 'yes'

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Nov 11 00:44:58 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2493

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
I really like this idea. I was thinking about this step many times, but
this solution seems really elegant, if there is no CA or SSHFP.

The best thing is always to get the whole public key you can store by
hand in your known_hosts. But having only fingerpint makes it more
difficult and this feature would basically solve it.

This would allow us to leave both methods available (yes/no checking or
pasted fingerprint). It would be also helpful for the new fingerprint
methods using SHA256 and base64, which is even harder to read and
compare.

> The authenticity of host 'somehost (10.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:9hT+deeJW3NzlzBXvJ3eK/lr7QYmxaZweHqzPG2WASU.
> Are you sure you want to continue connecting (yes/no)? 
> Or you can verify the fingerprint by writing it here: |

It would also solve the issue with different hashes which can be
problem at the moment, when connecting with new client (6.8+) to old
machine (as described in bug #2439).

The texts would probably needs a bit tweaking, but yes, the concept
sounds great.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list