bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-10 04:42 UTC
[Bug 2493] New: Accept host key fingerprint as the same as 'yes'
bugzilla.mindrot.org/show_bug.cgi?id=2493 Bug ID: 2493 Summary: Accept host key fingerprint as the same as 'yes' Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: micah at riseup.net Maybe this is a terrible idea, but it seems like a great, and simple improvement. When prompted with this dialog: The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established. RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9. Are you sure you want to continue connecting (yes/no)? 1. I want to verify this key 2. if its a new system, I use ssh-keygen -lf to print out the host's fingerprint so I can compare it 3. if its the first time I've installed openssh-server on debian, it prints out the just generated host key fingerprint to stdout 4. if its not a new system, but a shared/collaboratively managed one, I have the host key fingerprint either in a file, or someone has provided it to me over a secure channel. In order for me to verify the key (#1) in any of the cases #2-4 I have to visually inspect each character, comparing it one by one. A tedious, but necessary process. In all the cases, I already have the fingerprint available to me, but I have to pass it through my human-fallible visual comparison process. Its so annoying and prone to failure, that I'm discouraged from doing it. What if I didn't have to pass it through my eyes, into my short-term memory, and then compare it with the other one on the screen... and instead I could just copy the known-good, verified key fingerprint from another location and simply paste it into the dialog asking me for confirmation and that would accept it in the same way that typing 'yes' would accept it? In otherwords, what if the equivalent to 'yes' was the user typing in the host key's fingerprint? Sure, the user can just copy and paste what is presented there, which wont help them, but most people will also just type 'yes' without checking the fingerprint as well, so it is no degradation to the existing status-quo. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-10 13:44 UTC
[Bug 2493] Accept host key fingerprint as the same as 'yes'
bugzilla.mindrot.org/show_bug.cgi?id=2493 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- I really like this idea. I was thinking about this step many times, but this solution seems really elegant, if there is no CA or SSHFP. The best thing is always to get the whole public key you can store by hand in your known_hosts. But having only fingerpint makes it more difficult and this feature would basically solve it. This would allow us to leave both methods available (yes/no checking or pasted fingerprint). It would be also helpful for the new fingerprint methods using SHA256 and base64, which is even harder to read and compare.> The authenticity of host 'somehost (10.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:9hT+deeJW3NzlzBXvJ3eK/lr7QYmxaZweHqzPG2WASU. > Are you sure you want to continue connecting (yes/no)? > Or you can verify the fingerprint by writing it here: |It would also solve the issue with different hashes which can be problem at the moment, when connecting with new client (6.8+) to old machine (as described in bug #2439). The texts would probably needs a bit tweaking, but yes, the concept sounds great. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-11 18:16 UTC
[Bug 2493] Accept host key fingerprint as the same as 'yes'
bugzilla.mindrot.org/show_bug.cgi?id=2493 Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dkg at fifthhorseman.net --- Comment #2 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> --- I also like this idea. If you have the host key or its fingerprint already available, you should be able to just add it to your known_hosts file *before* you connect to the machine, but that's not a realistic workflow for most people. So Micah's suggestion is a good one that i think integrates well with common workflows. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 12:14 UTC
[Bug 2493] Accept host key fingerprint as the same as 'yes'
bugzilla.mindrot.org/show_bug.cgi?id=2493 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED CC| |djm at mindrot.org --- Comment #3 from Damien Miller <djm at mindrot.org> --- This feature has been available since openssh-8.0 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:02 UTC
[Bug 2493] Accept host key fingerprint as the same as 'yes'
bugzilla.mindrot.org/show_bug.cgi?id=2493 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 1759] New: allow display of bubblebabble fingerprint when connecting
- [Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment
- [Bug 1984] New: Add Unix Domain Socket Forwarding
- [Bug 1808] New: "SetupCommand" invoked before connecting
- [Bug 1777] New: KnownHostsCommand