[Bug 3226] New: Feature request: Prempt fingerprint prompt when connecting to new server
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Oct 30 12:22:52 AEDT 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3226
Bug ID: 3226
Summary: Feature request: Prempt fingerprint prompt when
connecting to new server
Product: Portable OpenSSH
Version: 8.4p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: bugzilla.mindrot.org at marget.com
When connecting to a new system where the user (a) knows the server's
pubkey fingerprint but (b) does not know the actual key data, there are
two ways to validate the server key:
1. The interactive yes/no/fingerprint prompt
2. SSHFP records (DNS)
The #1 isn't very automatable, and #2 is likely not available to an end
user.
Workarounds involving ssh-keyscan, base64 (decode), hashing, base64
(encode), fingerprint string construction, validation and writing to
known_hosts are effective, but cumbersome.
I'd very much like to have a command-line or configuration option that
preempts the fingerprint validation question:
ssh -o
VerifyHostKeyString="SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8"
<destination>
...or...
ssh -o
verifyHostKeyString="16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48"
<destination>
Additional minutiae:
It seems to me that the supplied string can serve as a stand-in for the
FingerprintHash argument (though it's not clear to me whether MD5 hash
strings are expected to begin with "MD5:")
The fingerprint presented to the user represents only one of the key
types (the most preferred?) that the server holds. Should using this
option require the user to specify the key type associated with the
known fingerprint? Should the ssh client scan through all acceptable
key types held by the server until it finds a match?
It is my position that the rest of the key-handling behavior (writing
to known_hosts on fingerprint acceptance) not change with this option:
The known_hosts file gets updated in the usual way, use of the option
to preempt fingerprint questions is a one-time deal.
Thank you!
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list