Can we have better ssh fingerprint collision messages?
Przemek Klosowski
przemek.klosowski at nist.gov
Wed Nov 13 18:29:34 UTC 2013
On 11/12/2013 07:47 AM, Miroslav Suchý wrote:
>
> 2) if you know that some machines change fingerprint and you *trust
> it* you can do:
>
> ~/.ssh/config:
> Host 192.168.1.1
> UserKnownHostsFile /dev/null
It always bugged me that the choice was to either disable or manually
edit an obscure file, so I was happy to find that you can delete stale
entries from commandline:
ssh-keygen -R hostname
Admittedly, this is pretty obscure and I think it would be a better idea
if SSH directly allowed an override, perhaps like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
23:00:21:33:d4:0f:95:f1:eb:34:b2:57:cf:3f:2c:e7.
If you think it's safe to override this check, you can connect
this time [o] or delete the current host key before connecting [O]:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131113/cce0e8ba/attachment.html>
More information about the devel
mailing list