openssh bugs - Oct 2013 - [Bug 2165] New: ssh option to prompt for fingerprint input

https://bugzilla.mindrot.org/show_bug.cgi?id=2165

            Bug ID: 2165
           Summary: ssh option to prompt for fingerprint input
           Product: Portable OpenSSH
           Version: 5.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: blobnor-bugreports at yahoo.com.br

Rather than showing the fingerprint to the user to compare, there could
be and option where ssh wouldn't show the fingerprint, but would prompt
the user to input the fingerprint by keyboard. Then ssh would evaluate
if it is right or wrong. Computers are much better at comparing exact
strings than humans.

Proposal:
~ seff$ ssh -o PromptFingerprint=yes bugzilla.mindrot.org
The authenticity of host 'bugzilla.mindrot.org (130.102.96.3)' can't
be
established.
Type the RSA key fingerprint from remote host:

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2165

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
         Depends on|                            |1872

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
That's a nice idea though it should probably be under the existing
configuration option, e.g. StrictHostKeyChecking=require-fingerprint

We should also figure out what we are going to do wrt changing the
fingerprint hash, since the two are likely to collide.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2165

--- Comment #2 from Seff <blobnor-bugreports at yahoo.com.br> ---
Damien, that's seems to be a good approach.

With many hash, check against all of them. If any match, accept the
key.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2165

Petr Lautrbach <plautrba at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |plautrba at redhat.com

--- Comment #3 from Petr Lautrbach <plautrba at redhat.com> ---
Created attachment 2430
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2430&action=edit
StrictHostKeyChecking=require-fingerprint

This patch is based on the patch I've just attached  to
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 and allows to specify
StrictHostKeyChecking=require-fingerprint:

$ ssh -o FingerprintType=sha256 -o
stricthostkeychecking=require-fingerprint -p 2222 localhost
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't
be
established.
Type the ECDSA key fingerprint from remote host [sha256]: abcd
Host key verification failed.

$ ssh -o FingerprintType=sha256 -o
stricthostkeychecking=require-fingerprint -p 2222 localhost
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't
be
established.
Type the ECDSA key fingerprint from remote host [sha256]:
5b:bc:6c:0a:b2:8d:84:eb:2a:6b:14:92:94:1c:85:b3:82:98:ba:b0:55:fd:2a:61:52:8c:b0:79:49:4b:e7:73
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of
known hosts.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2165
Bug 2165 depends on bug 1872, which changed state.

Bug 1872 Summary: Support better hash algorithms for key fingerprints (FIPS
compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.