similar to: [Bug 112] New: Using host key fingerprint instead of "yes"

Hi list, I use ssh a lot and I often need to connect to hosts whose host key has changed. If a host key of the remote host changes ssh terminates and the user has to manually delete the offending host key from known_hosts. I had to do this so many times that I no longer like the idea ;-) I would really like ssh to ask me if the new host key is OK and if I want to add it to known_hosts. I talked

Scenario: I have access to a semi-public (about 30 users) server where I keep my webpage. Occasionally, especially if I'm on the road. I use this as a bounce point to get to "secured" systems which only allow ssh from certian IP's. (Ignoring the discussion on spoofing, since we have host keys) But host keys are the problem. If anyone gets root on this hypothetical

There's currently no way to express trust for an SSH certificate CA other than by manually adding it to known_hosts. This patch modifies the automatic key write-out behaviour on user verification to associate the hostname with the CA rather than the host key, allowing environments making use of certificates to update (potentially compromised) host keys without needing to modify client

Hi, below is a patch to simply mention 'ssh-keygen' when a fingerprint does not match between the known_hosts file and the remote. I find that many people are unaware that ssh-keygen can do this for them. adding a copy-and-pasteable message in the warning will make users more aware. Description: Mention ssh-keygen in ssh fingerprint changed warning Author: Scott Moser <smoser at

The attached patch implements a feature that would make my interaction with ssh somewhat more secure. When connecting to a host whose key is not in the known_hosts file, this patch makes ssh tell the user about any other hosts in the known_hosts file that have the same key. For example, if I have host A in my known_hosts file, and try to connect to host B which is an alias for A, ssh will tell

When connecting to a host for which there's no known hostkey, check if the relevant key has been accepted for other hostnames. This is useful when connecting to a host with a dymamic IP address or multiple names. --- auth.c | 4 ++-- hostfile.c | 42 ++++++++++++++++++++++++++++-------------- hostfile.h | 8 ++++++-- sshconnect.c | 39 +++++++++++++++++++++++++++++++++------

Howdy -- I have a number of servers with host keys validated by certificates. These systems are behind a load-balanced frontend, and the certificates are signed as valid for the DNS name used by that common frontend address. This works well for the primary use case of the systems; however, when wishing to address only a single unit within the pool, the certificate cannot be used to validate that

Hi All, I have want to add a option in ssh_config to co-work with ldap.But when I am compiling , i was encountered a ld error, which says "cc -o ssh-keygen ssh-keygen.o -Wl,+nodefaultrpath -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat -lz -lnsl -lxnet -lsec -lgssapi_krb5 -lkrb5 -lpthread ld: Unsatisfied symbol "options" in file ./libssh.a[hostfile.o] 1 errors." The following is

Hello again! Since there was some resistance against adding TCP_NODELAY uncontionally, I've made another patch. The new patch contains the following: * Added a NoDelay yes/no (default no) config option to ssh and sshd * Added -oNoDelay=yes to the ssh command line for sftp. * Changed the sshd subsystem config option syntax from Subsystem name path to Subsystem name options path

This patch is against 3.0.2p1. It produces output like the first line in the example below for both v1 and v2 logins. Logging is turned on by sticking ``LogFingerprint yes'' in sshd_conf. It would be nice if something like this would make it into OpenSSH. Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Found matching RSA1 key:

Hello there! I have made a patch against OpenSSH 3.0.2p1 which allows the fingerprint of the accepted key to be printed in the log message. It works with SSH1-RSA and SSH2 pubkey (DSA+RSA) authentication. This feature is controllable by the LogKeyFingerprint config option (turned off by default). Michal Kara -------------- next part -------------- diff -u5

Hello! I noticed the ssh client now allows you to paste a fingerprint at the host key verification question which I thought was pretty cool and a welcome feature. When testing it out I discovered it did not care about the case of the entered hash, and looking at sshconnect.c I see strcasecmp() is used which explains why. I'm just curious if this was a deliberate decision or if it would make

http://bugzilla.mindrot.org/show_bug.cgi?id=81 Summary: ssh cannot use ssh-askspass & passphrases as documented Product: Portable OpenSSH Version: 3.0.2p1 Platform: Sparc OS/Version: SunOS Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org

The attached patch adds a new 'ConnectTimeout' option (man page updated in patch) to avoid wasting time when the target host is down. I needed that because I was using rsync/rdist over ssh for massive files update and the default connect() took too long for my purpose. The patch was tested on Linux only, but I used a similar one for ssh 1.2.XX on Linux, Solaris and HP-UX without

hi, i have downloaded the linux-version of openssh-3.0.2p1. i wanted to compile it statically with the following configure-statement: ./configure --prefix=/usr/local/opt/openssh-3.0.2p1 --with-pam --with-md5-passwords --with-v4-default --with-ldflags=-static --with-ssl-dir=/usr/local/opt/openssl It worked for the older 2.9 version, but now i get the following error: gcc -o ssh ssh.o

hi, i have downloaded the linux-version of openssh-3.0.2p1. i wanted to compile it statically with the following configure-statement: ./configure --prefix=/usr/local/opt/openssh-3.0.2p1 --with-pam --with-md5-passwords --with-v4-default --with-ldflags=-static --with-ssl-dir=/usr/local/opt/openssl It worked for the older 2.9 version, but now i get the following error: gcc -o ssh ssh.o

Hi, Here is a patch for release 1.2.2 that allows the use of '=' instead of whitespace when specifying options. For options on the commandline, it can be useful to be able to avoid whitespace in some situations. best regards and thanks for the patch regarding segfaulting with PAM, Stefan ------------------------------------------------------------------- Email: Stefan.Heinrichs at

hi, the corner case of '-HF' hashes the whole hostline and not just the host xor IP address which means that usually it will hash "HOST,IP". This will never be matched if manually included into the known_host file. Patch against 4.7p1 attached. J. -- Jan Pechanec -------------- next part -------------- --- openssh-4.7p1/ssh-keygen.c Mon Feb 19 12:10:25 2007 +++

https://bugzilla.mindrot.org/show_bug.cgi?id=1376 Summary: 'ssh-keygen -HF' hashes host,IP together Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: ssh-keygen AssignedTo: bitbucket

I'm trying to replace some sshv1 clients and servers in a modular way, and the "Server Lies" warning (when the server says the key has one more bit than it really has) is causing heartache. Per the FAQ, this is relatively benign. Here's a patch that allows an admin or user to disable the warning. - Morty diff -Nur openssh-3.7.1p2/readconf.c