curl-library
Re: libcurl and libssh2
Date: Wed, 14 Oct 2009 10:50:42 +0200
2009/10/14 Xu, Qiang (FXSGSC) <Qiang.Xu_at_fujixerox.com>:
>> -----Original Message-----
>> From: curl-library-bounces_at_cool.haxx.se
>> [mailto:curl-library-bounces_at_cool.haxx.se] On Behalf Of Michael Wood
[...]
>> I have never used libcurl's libssh2 support, but according to this:
>>
>> http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#SSH
>>
>> it looks like you can either use
>> CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 to specify the MD5 hash of
>> the remote hosts key, or you can make sure the host key is
>> cached in the .ssh/known_hosts file.
>
> It seems the host key is already in the file ~/.ssh/known_hosts:
> ==================================================
> 13.198.98.190 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqmvaJxoMOyeNAW5HPPP8OJtqOX2bBg
[...]
> ==================================================
> The above is the content of the file, although it seems meaningless to me. :-(
The AAAAB3... part is the key and you can see it is an RSA key.
>> Anyway, you would need to verify that this key is correct,
>> otherwise you would be vulnerable to man in the middle
>> attacks, so maybe libcurl just thinks it's someone else's
>> problem to get the key before telling libcurl to connect to
>> the remote machine.
>
> How to verify the key is correct? What toolkit shall I use?
Compare it to the public host key file on the server :)
e.g. have a look at /etc/ssh/ssh_host_rsa_key.pub (or maybe
/usr/local/etc/ssh... depending on how sshd is installed.)
You can also use ssh-keygen to show you fingerprints instead of the whole key:
On the server:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
On the client:
ssh-keygen -F 13.198.98.190 -l -f ~/.ssh/known_hosts
-- Michael Wood <esiotrot_at_gmail.com> ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2009-10-14