cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: libcurl and libssh2

From: Xu, Qiang (FXSGSC) <Qiang.Xu_at_fujixerox.com>
Date: Wed, 14 Oct 2009 16:24:47 +0800

> -----Original Message-----
> From: curl-library-bounces_at_cool.haxx.se
> [mailto:curl-library-bounces_at_cool.haxx.se] On Behalf Of Michael Wood
> Sent: Wednesday, October 14, 2009 4:03 PM
> To: libcurl development
> Subject: Re: libcurl and libssh2
>
> I have never used libcurl's libssh2 support, but according to this:
>
> http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#SSH
>
> it looks like you can either use
> CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 to specify the MD5 hash of
> the remote hosts key, or you can make sure the host key is
> cached in the .ssh/known_hosts file.

It seems the host key is already in the file ~/.ssh/known_hosts:
==================================================
13.198.98.190 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqmvaJxoMOyeNAW5HPPP8OJtqOX2bBg
84NjFHnGFhKcmua3DwHE781J+GKaEYmSeaMAp9Wubtr6/tvqJkjOf66tIUKdOQW5ynXiiY5hQFqI29+1
qFulpoTpbW/LlICXg+lvw8qV+cj7zhZDRPKhfAZrUeZoofgT7EF5MKqTCGrr1SuL6PUEaa4zBVGbl+p8
2xPXZhKbwQXSPyPieLKDUeAWm3jlXdiMx44OjBVoAKUnwQ4aieqeVtM+XGN0iwNPGR3DwQwN1JlupLJF
8sNEggnbSccB/ihBSBJaUmYo/Q3Bveaa5UxhXw4OY1P5tM0LgOVhu/i8ZYGsSsUdd+ySlwaw==
durian ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqmvaJxoMOyeNAW5HPPP8OJtqOX2bBg84NjFHn
GFhKcmua3DwHE781J+GKaEYmSeaMAp9Wubtr6/tvqJkjOf66tIUKdOQW5ynXiiY5hQFqI29+1qFulpoT
pbW/LlICXg+lvw8qV+cj7zhZDRPKhfAZrUeZoofgT7EF5MKqTCGrr1SuL6PUEaa4zBVGbl+p82xPXZhK
bwQXSPyPieLKDUeAWm3jlXdiMx44OjBVoAKUnwQ4aieqeVtM+XGN0iwNPGR3DwQwN1JlupLJF8sNEggn
bSccB/ihBSBJaUmYo/Q3Bveaa5UxhXw4OY1P5tM0LgOVhu/i8ZYGsSsUdd+ySlwaw==
==================================================
The above is the content of the file, although it seems meaningless to me. :-(
 
> To get the key into the known_hosts files, you can just try
> to run the ssh command line tool to connect to the remote
> machine. It does not seem like there is a way to do it from
> within libcurl, but maybe I am wrong.
>
> Anyway, you would need to verify that this key is correct,
> otherwise you would be vulnerable to man in the middle
> attacks, so maybe libcurl just thinks it's someone else's
> problem to get the key before telling libcurl to connect to
> the remote machine.

How to verify the key is correct? What toolkit shall I use?

Thanks,
Xu Qiang
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-10-14