On Thu, 7 May 2009, Simon Josefsson wrote:
>> And I also want to be able to update a host in the known_host file
>> when the key has changed and the user okays this.
>
> Maybe that isn't a good idea, it trains users to just-click-yes to make
> things work. I don't think OpenSSH has any mechanism to replace hostkeys in
> the known_hosts file? Maybe that is because of the just-click-yes concern.
Uhm, right. It actually does do that. I'll have to think through my use-case a
little more...
> OpenSSH offer a mechanism to configure it to not fail for incorrect keys for
> a particular hosts, though. Maybe libssh2 could support that? I think it
> should still warn, though.
Well, we have a few challanges related this:
A) known_hosts is a OpenSSH file, we don't have any generic or even libssh2-
specific way to specify known hosts. Thus a normal application has no
trusted hosts at all...
B) we already have an API that doesn't care about host keys and similar and
since we don't want to break them we can't really do much in regards to
host checks unless the app explictly asks for it. The API I'm adding now is
100% opt-in and won't stand in the way at all if the app simply decides
that checking for known_hosts is boring.
The libssh2_knownhost_check() function will of course tell the app if the host
is new, has a new key or is already known but the app decides how to deal with
that.
-- / daniel.haxx.se ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ libssh2-devel mailing list libssh2-devel_at_lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libssh2-develReceived on 2009-05-07