Can we have better ssh fingerprint collision messages?
valent.turkovic at gmail.com
valent.turkovic at gmail.com
Wed Feb 19 08:19:56 UTC 2014
On Wed, Nov 13, 2013 at 7:29 PM, Przemek Klosowski <
przemek.klosowski at nist.gov> wrote:
> On 11/12/2013 07:47 AM, Miroslav Suchý wrote:
>
>
> 2) if you know that some machines change fingerprint and you *trust it*
> you can do:
>
> ~/.ssh/config:
> Host 192.168.1.1
> UserKnownHostsFile /dev/null
>
>
> It always bugged me that the choice was to either disable or manually edit
> an obscure file, so I was happy to find that you can delete stale entries
> from commandline:
>
> ssh-keygen -R hostname
>
> Admittedly, this is pretty obscure and I think it would be a better idea
> if SSH directly allowed an override, perhaps like this:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 23:00:21:33:d4:0f:95:f1:eb:34:b2:57:cf:3f:2c:e7.
>
> If you think it's safe to override this check, you can connect
> this time [o] or delete the current host key before connecting [O]:
>
>
Yes! This kind of solution would be awesome, any admin who encounters this
more than two times per week (as I do) would love to have an override. I
know where I'm connecting to, and if it is a server then it should NEVER
change, but I'm also connecting to OpenWrt based devices (internet of
things and similar devices) who get updated firmwares every so ofter, and
upon booting up first time with new firmware generate new ssh keys.
I would love to see this, or at least if somebody knows how can I setup
this for myself, this would make me switch back to Fedora as my main admin
machine...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140219/cc687467/attachment.html>
More information about the devel
mailing list