openssh bugs - Nov 2015 - [Bug 2493] New: Accept host key fingerprint as the same as 'yes'

https://bugzilla.mindrot.org/show_bug.cgi?id=2493

            Bug ID: 2493
           Summary: Accept host key fingerprint as the same as 'yes'
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: micah at riseup.net

Maybe this is a terrible idea, but it seems like a great, and simple
improvement.

When prompted with this dialog:

The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be
established. RSA key fingerprint is
a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?

1. I want to verify this key

2. if its a new system, I use ssh-keygen -lf to print out the host's
fingerprint so I can compare it

3. if its the first time I've installed openssh-server on debian, it
prints out the just generated host key fingerprint to stdout

4. if its not a new system, but a shared/collaboratively managed one, I
have the host key fingerprint either in a file, or someone has provided
it to me over a secure channel. 

In order for me to verify the key (#1) in any of the cases #2-4 I have
to visually inspect each character, comparing it one by one. A tedious,
but necessary process. In all the cases, I already have the fingerprint
available to me, but I have to pass it through my human-fallible visual
comparison process. Its so annoying and prone to failure, that I'm
discouraged from doing it. 

What if I didn't have to pass it through my eyes, into my short-term
memory, and then compare it with the other one on the screen... and
instead I could just copy the known-good, verified key fingerprint from
another location and simply paste it into the dialog asking me for
confirmation and that would accept it in the same way that typing 'yes'
would accept it?

In otherwords, what if the equivalent to 'yes' was the user typing in
the host key's fingerprint? Sure, the user can just copy and paste what
is presented there, which wont help them, but most people will also
just type 'yes' without checking the fingerprint as well, so it is no
degradation to the existing status-quo.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2493

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
I really like this idea. I was thinking about this step many times, but
this solution seems really elegant, if there is no CA or SSHFP.

The best thing is always to get the whole public key you can store by
hand in your known_hosts. But having only fingerpint makes it more
difficult and this feature would basically solve it.

This would allow us to leave both methods available (yes/no checking or
pasted fingerprint). It would be also helpful for the new fingerprint
methods using SHA256 and base64, which is even harder to read and
compare.
> The authenticity of host 'somehost (10.0.0.1)' can't be
established. ECDSA key fingerprint is
SHA256:9hT+deeJW3NzlzBXvJ3eK/lr7QYmxaZweHqzPG2WASU.
> Are you sure you want to continue connecting (yes/no)? 
> Or you can verify the fingerprint by writing it here: |
It would also solve the issue with different hashes which can be
problem at the moment, when connecting with new client (6.8+) to old
machine (as described in bug #2439).

The texts would probably needs a bit tweaking, but yes, the concept
sounds great.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2493

Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dkg at fifthhorseman.net

--- Comment #2 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> ---
I also like this idea.

If you have the host key or its fingerprint already available, you
should be able to just add it to your known_hosts file *before* you
connect to the machine, but that's not a realistic workflow for most
people.

So Micah's suggestion is a good one that i think integrates well with
common workflows.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2493

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
                 CC|                            |djm at mindrot.org

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
This feature has been available since openssh-8.0

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2493

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.