bugzilla-daemon at bugzilla.mindrot.org
2015-Oct-23 04:02 UTC
[Bug 1777] KnownHostsCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1777 --- Comment #4 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> --- (In reply to Damien Miller from comment #3)> This is possible to do, but without some significant changes is > likely to be fairly inefficient. > > ssh reads known_hosts a couple of times during connection. At least > once to figure out what host key algorithms are in use, then again > to verify the hostkey sentThis kind of information is host specific, and seems like it could be directly cached instead of re-read. is this the sort of significant changes you're talking about, or is there more that needs doing?> and (optionally) a couple of times to > deal with UpdateHostkeys messages from the server.UpdateHostKeys seems like it's about modifying the stored keys, right? that's a different thing than just reading it. We'd need to specify some sort of interface for sending back updates to the KnownHostsCommand as well, and this isn't something that was specified in the initial feature request.> This could result in the KnownHostsCommand being run a bunch of > times and, unless it was very efficient, could make ssh pretty slow.even with caching and a single run for reading, a slow KnownHostsCommand will make ssh pretty slow, in the same way that the existing ProxyCommand can also make ssh pretty slow. This is a tradeoff that someone configuring a KnownHostsCommand would need to make explicitly, but i don't think should rule it out as a feature. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Maybe Matching Threads
Wisdom of the Ancients
