Subject: Re: known_hosts [early PATCH]

Re: known_hosts [early PATCH]

From: Simon Josefsson <simon_at_josefsson.org>
Date: Thu, 07 May 2009 10:38:21 +0200

Daniel Stenberg <daniel_at_haxx.se> writes:

>> OpenSSH offer a mechanism to configure it to not fail for incorrect keys for
>> a particular hosts, though. Maybe libssh2 could support that? I think it
>> should still warn, though.
>
> Well, we have a few challanges related this:
>
> A) known_hosts is a OpenSSH file, we don't have any generic or even libssh2-
> specific way to specify known hosts. Thus a normal application has no
> trusted hosts at all...
>
> B) we already have an API that doesn't care about host keys and similar and
> since we don't want to break them we can't really do much in regards to
> host checks unless the app explictly asks for it. The API I'm adding now is
> 100% opt-in and won't stand in the way at all if the app simply decides
> that checking for known_hosts is boring.
>
> The libssh2_knownhost_check() function will of course tell the app if the host
> is new, has a new key or is already known but the app decides how to deal with
> that.

That sounds better to me -- keep that logic in the application. Libssh2
can provide helper functions, but doesn't have to check it inernally.

/Simon

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
libssh2-devel mailing list
libssh2-devel_at_lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libssh2-devel
Received on 2009-05-07