On Sat, Jan 13, 2001 at 09:33:24PM -0800, Noam Sturmwind
wrote:> I've noticed that in openssh 2.3.0 when I connect to a new server or to
> one on which the host key has changed, it warns me that the key is unknown
> or changed, but doesn't show me the host key fingerprint so I can
verify
> it. This goes for both protocols 1 (RSA host key) and 2 (DSA host key). I
> remember that older versions used to display a warning and the
> fingerprint and ask if I still wanted to connect (yes/no).
openssh will show the fingerprint and ask (yes/no) if the
host key is unknown (if StrictHostKeyChecking is set to ask,
of course).
if the hostkey has changed and StrictHostKeyChecking != no
(the default is 'ask') then the ssh will exit.
you can now remove the offending key, reconnect, and
check the fingerprint given by the client (since the
host key is now unknown).
however, in future openssh versions we will display
the fingerprint for changed host keys, too.
> Please let me know if I'm missing an option which turns display of
> fingerprint & prompting on. Though, even if there is, I think it should
be
> on by default... let advanced users turn it off rather than the other way
> around.
the default is
StrictHostKeyChecking ask
and this should be ok for less advanced users.
-markus