openssh unix dev - Jan 2001 - openssh 2.3.0p1 doesn't show fingerprints

On Sat, Jan 13, 2001 at 09:33:24PM -0800, Noam Sturmwind
wrote:
> I've noticed that in openssh 2.3.0 when I connect to a new server or to
> one on which the host key has changed, it warns me that the key is unknown
> or changed, but doesn't show me the host key fingerprint so I can
verify
> it. This goes for both protocols 1 (RSA host key) and 2 (DSA host key). I
> remember that older versions used to display a warning and the
> fingerprint and ask if I still wanted to connect (yes/no).
openssh will show the fingerprint and ask (yes/no) if the
host key is unknown (if StrictHostKeyChecking is set to ask,
of course).

if the hostkey has changed and StrictHostKeyChecking != no
(the default is 'ask') then the ssh will exit.

you can now remove the offending key, reconnect, and
check the fingerprint given by the client (since the
host key is now unknown).

however, in future openssh versions we will display
the fingerprint for changed host keys, too.
> Please let me know if I'm missing an option which turns display of
> fingerprint & prompting on. Though, even if there is, I think it should
be
> on by default... let advanced users turn it off rather than the other way
> around.
the default is 
	StrictHostKeyChecking ask
and this should be ok for less advanced users.

-markus

> openssh will show the fingerprint and ask (yes/no) if the
> host key is unknown (if StrictHostKeyChecking is set to ask,
> of course).
>
...
>
> the default is
> 	StrictHostKeyChecking ask
> and this should be ok for less advanced users.
This is interesting... on my build (precompiled Mandrake cooker,
openssh-2.3.0p1-7.3mdk) the default is StrictHostKeyChecking no. man
ssh(1) says for StrictHostKeyChecking, "The argument must be
``yes'' or
``no''." No mention of an 'ask' setting anywhere I can
find, though it
does work if I set it to ask. Thanks for the help.

Noam Sturmwind