[PATCH] allow user to update changed key in known_hosts

[Roumen Petrov]

Hi Jirka,

Jirka Bohac wrote:
> Hi,
> 
> On Sun, Feb 05, 2006 at 02:22:02PM +0200, Roumen Petrov wrote:
> 
>>>I use ssh a lot and I often need to connect to hosts whose host key has
>>>changed. If a host key of the remote host changes ssh terminates and the
>>>user has to manually delete the offending host key from known_hosts.
>>
>>Use StrictHostKeyChecking=no for those hosts.
> 
> 
> This is not what I want:
> 1) I want to be alerted that the remote host key has been changed and be
>    able to accept it as the new key for the host. I don't want to see
>    the warning each time I log in and learn to ignore it.
> 2) Even with StrictHostKeyChecking=no, I am not allowed to log in using a
>    password, can't forward X etc.

Thanks that you clarify what you exactly need.


>>>I talked to other people and they also seemed to be bothered by this
>>>behaviour
>>
>>May be people who don't read manual pages will bother other too ?
> 
> 
> Come on! I _did_ read the manpage and know what StrictHostKeyChecking
> does. It's not what I want.
> 
> Even the author of the code probably thought similar functionality would
> be good to have ... see the following comment from sshconnect.c
> 
> /*
>  * XXX Should permit the user to change to use the new id.
>  * This could be done by converting the host key to an
>  * identifying sentence, tell that the host identifies itself
>  * by that sentence, and ask the user if he/she whishes to
>  * accept the authentication.
>  */
> 
> I am willing to finish what the author intended, because I really miss
> the functionality. I'd just like to hear constructive suggestions.

You could open a request for extension in openssh bugzila.

May be in case HOST_CHANGED and when options.strict_host_key_checking
is 2(ask) the code can be changed to ask user what to do ? "goto fail"
should happen only when strict_host_key_checking is set to 1("yes").
I'm not sure that new option is necessary.


Regards,
Roumen Petrov