[Bug 3226] New: Feature request: Prempt fingerprint prompt when connecting to new server

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Oct 30 12:22:52 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3226

            Bug ID: 3226
           Summary: Feature request: Prempt fingerprint prompt when
                    connecting to new server
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot.org at marget.com

When connecting to a new system where the user (a) knows the server's
pubkey fingerprint but (b) does not know the actual key data, there are
two ways to validate the server key:

1. The interactive yes/no/fingerprint prompt
2. SSHFP records (DNS)

The #1 isn't very automatable, and #2 is likely not available to an end
user.

Workarounds involving ssh-keyscan, base64 (decode), hashing, base64
(encode), fingerprint string construction, validation and writing to
known_hosts are effective, but cumbersome.

I'd very much like to have a command-line or configuration option that
preempts the fingerprint validation question:

ssh -o
VerifyHostKeyString="SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8"
<destination>

...or...

ssh -o
verifyHostKeyString="16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48"
<destination>

Additional minutiae:

It seems to me that the supplied string can serve as a stand-in for the
FingerprintHash argument (though it's not clear to me whether MD5 hash
strings are expected to begin with "MD5:")

The fingerprint presented to the user represents only one of the key
types (the most preferred?) that the server holds. Should using this
option require the user to specify the key type associated with the
known fingerprint? Should the ssh client scan through all acceptable
key types held by the server until it finds a match?

It is my position that the rest of the key-handling behavior (writing
to known_hosts on fingerprint acceptance) not change with this option:
The known_hosts file gets updated in the usual way, use of the option
to preempt fingerprint questions is a one-time deal.

Thank you!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list