cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Why does libcurl need the public key for SFTP auth anyway?

From: Albert Chin <curl-library_at_mlists.thewrittenword.com>
Date: Sun, 20 Sep 2009 09:38:25 -0500

On Sat, Sep 19, 2009 at 07:41:27PM +0000, Gary V. Vaughan wrote:
> On Sat, Sep 19, 2009 at 11:14:35AM -0500, Luke Dashjr wrote:
> > On Saturday 19 September 2009 10:57:43 am Gary V. Vaughan wrote:
> > > Now that I think about it, isn't this a bug (tweaking the script
> > > from my last post slightly)?
> >
> > No. The entire security of SSH/SFTP/SSL comes from having the public
> > key. If you just trust whatever key it sends, it is vulnerable to
> > man-in-the-middle attacks.
>
> So I should be passing the public key of the remote host to libcurl,
> and not the public part of the private key I'm using to authenticate?

All curl should need is the private key and the public key of the host.
That's all ssh needs.

-- 
albert chin (china_at_thewrittenword.com)
Received on 2009-09-20