cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Why does libcurl need the public key for SFTP auth anyway?

From: Gary V. Vaughan <curl-library_at_mlists.thewrittenword.com>
Date: Mon, 21 Sep 2009 17:50:10 +0000

[Resend after 3 hours or so... apologies if the original also arrives]

On Sun, Sep 20, 2009 at 09:38:25AM -0500, Albert Chin wrote:
> On Sat, Sep 19, 2009 at 07:41:27PM +0000, Gary V. Vaughan wrote:
> > On Sat, Sep 19, 2009 at 11:14:35AM -0500, Luke Dashjr wrote:
> > > On Saturday 19 September 2009 10:57:43 am Gary V. Vaughan wrote:
> > > > Now that I think about it, isn't this a bug (tweaking the script
> > > > from my last post slightly)?
> > >
> > > No. The entire security of SSH/SFTP/SSL comes from having the public
> > > key. If you just trust whatever key it sends, it is vulnerable to
> > > man-in-the-middle attacks.
> >
> > So I should be passing the public key of the remote host to libcurl,
> > and not the public part of the private key I'm using to authenticate?

And my next point was going to be that known_hosts provides host key
management as defence against MITM attacks, so explicitly requiring
a public key (host key, or the public part of my auth key) still seems
unnecessary.

> All curl should need is the private key and the public key of the host.
> That's all ssh needs.

Agreed.

Cheers,
    Gary

-- 
Gary V. Vaughan (gary_at_thewrittenword.com)
Received on 2009-09-21