GNOME Bugzilla – Bug 723167
curlsftpsink: allow remote host authentication by public key fingerprint
Last modified: 2014-05-20 06:58:35 UTC
The proposed patch makes it possible to authenticate a remote host by its public key MD5-hash, a quite usual scenario. This possibility is missing at the moment, a 'known_hosts' file being needed.
Created attachment 267407 [details] [review] Make use of libcurl option: CURLOPT_SSH_HOST_PUBLIC_KEY_MD5
Comment on attachment 267407 [details] [review] Make use of libcurl option: CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 Looks good but why (only) MD5?
> Looks good but why (only) MD5? libcurl has no support for other types of hashes (at least in the context of SSH keys): http://curl.haxx.se/libcurl/c/curl_easy_setopt.html (see section: "SSH OPTIONS") Besides, MD5 is the typical hash used by the OpenSSH ssh & sftp clients, for example: # ssh johndoe@dh6 <ENTER> The authenticity of host 'dh6(192.168.0.196)' can't be established. RSA key fingerprint is d2:75:e8:fd:4b:fb:a7:2c:a0:81:1a:cd:dd:03:db:c7. Are you sure you want to continue connecting (yes/no)? In fact, after a quick check of "man ssh", I think MD5 is the only type of hash that these clients (ssh, sftp) can present to the user.
commit 9c1e66302dde3fd904a83f62d29b8390d6341392 Author: L. Sorin <sorin@axis.com> Date: Tue Jan 28 14:04:11 2014 +0100 curlsftpsink: authenticate remote host via public key fingerprint Expose one more libcurl option: CURLOPT_SSH_HOST_PUBLIC_KEY_MD5. This allows authenticating the server by the MD5 fingerprint of the server's public key. https://bugzilla.gnome.org/show_bug.cgi?id=723167