cURL / Mailing Lists / curl-library / Single Mail


Re: patch to allow for ssh md5 checking option

From: Dan Fandrich <>
Date: Mon, 24 Sep 2007 11:22:43 -0700

On Mon, Sep 24, 2007 at 10:49:57AM -0700, Johnny Luong wrote:
> I've attached a patch (against curl-7.17.0) to the scp/sftp subsystem so
> that it'll take another option, the md5 fingerprint of the host public
> key, and fail if it doesn't match up to what the user thinks it should be.
> Let me know if you have any thoughts on it.

I think this is a great idea! I like the libcurl side of things (although
I think the code should err out in the case
(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5] &&
 strlen(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) != 32)
), but I think expecting the user to provide a MD5 string on the command-line
is a bit much to expect on the curl side and will seldom get used. Instead,
I think curl should automatically derive the MD5 fingerprint directly
from a host entry in an OpenSSH-compatible ~/.ssh/known_hosts file,
with a command-line option used to disable that check (like -k for SSL).

>>> Dan

--              The web change of address service
          Let webmasters know that your web site has moved
Received on 2007-09-24