openssh unix dev - Oct 2012 - SCP support for -o StrictHostKeyChecking=no broken

Hi.

With SCP, it seems like the option precedence is ignored.
Although this seems to work well with SSH.


$ scp -oStrictHostKeyChecking=no   hs21-dev04:/tmp/1  hs21-dev02:/tmp/2
The authenticity of host 'hs21-dev04 (192.168.12.11)' can't be
established.
RSA key fingerprint is ec:0f:eb:b2:fa:6f:50:ef:89:64:01:5e:c9:cc:54:20.
Are you sure you want to continue connecting (yes/no)?

$ ssh -oStrictHostKeyChecking=no   hs21-dev04
Warning: Permanently added 'hs21-dev04,192.168.12.11' (RSA) to the list
of
known hosts.
user at hs21-dev04's password:

$ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008


My current workaround is to run SSH first to store the key, than SSH. But I
believe this is a bug.
Fran?ois

On Mon, Oct 22, 2012 at 03:21:06PM -0400, Fran?ois Isabelle
wrote:
> With SCP, it seems like the option precedence is ignored.
> Although this seems to work well with SSH.
[...]
> $ssh -V
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Can you reproduce this with a current version?  Works for me:

$ scp -o stricthostkeychecking=yes /tmp/a localhost:/tmp/b
No RSA host key is known for doesnotexist and you have requested strict
checking.
Host key verification failed.
lost connection

$ scp -o stricthostkeychecking=no /tmp/a localhost:/tmp/b
Warning: Permanently added 'doesnotexist' (RSA) to the list of known
hosts.
a                                  100%    0     0.0KB/s 00:00 

$ ssh -V
OpenSSH_6.1, OpenSSL 1.0.1c 10 May 2012

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Yeah, I should have tried this before but I only checked the bug list and
didn't find any report. One thing to note though is that my system wide
configuration has 'ask' set for this option. I'll try to reproduce
on recent versions soon.
Thank you
Frank

Darren Tucker <dtucker at zip.com.au> a ?crit?:
>On Mon, Oct 22, 2012 at 03:21:06PM -0400, Fran?ois Isabelle wrote:
>> With SCP, it seems like the option precedence is ignored.
>> Although this seems to work well with SSH.
>[...]
>> $ssh -V
>> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>
>Can you reproduce this with a current version?  Works for me:
>
>$ scp -o stricthostkeychecking=yes /tmp/a localhost:/tmp/b
>No RSA host key is known for doesnotexist and you have requested strict
>checking.
>Host key verification failed.
>lost connection
>
>$ scp -o stricthostkeychecking=no /tmp/a localhost:/tmp/b
>Warning: Permanently added 'doesnotexist' (RSA) to the list of known
>hosts.
>a                                  100%    0     0.0KB/s 00:00 
>
>$ ssh -V
>OpenSSH_6.1, OpenSSL 1.0.1c 10 May 2012
>
>-- 
>Darren Tucker (dtucker at zip.com.au)
>GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>    Good judgement comes with experience. Unfortunately, the experience
>usually comes from bad judgement.
>