[Resend after 3 hours or so... apologies if the original also arrives]
On Sun, Sep 20, 2009 at 09:38:25AM -0500, Albert Chin wrote:
> On Sat, Sep 19, 2009 at 07:41:27PM +0000, Gary V. Vaughan wrote:
> > On Sat, Sep 19, 2009 at 11:14:35AM -0500, Luke Dashjr wrote:
> > > On Saturday 19 September 2009 10:57:43 am Gary V. Vaughan wrote:
> > > > Now that I think about it, isn't this a bug (tweaking the script
> > > > from my last post slightly)?
> > >
> > > No. The entire security of SSH/SFTP/SSL comes from having the public
> > > key. If you just trust whatever key it sends, it is vulnerable to
> > > man-in-the-middle attacks.
> >
> > So I should be passing the public key of the remote host to libcurl,
> > and not the public part of the private key I'm using to authenticate?
And my next point was going to be that known_hosts provides host key
management as defence against MITM attacks, so explicitly requiring
a public key (host key, or the public part of my auth key) still seems
unnecessary.
> All curl should need is the private key and the public key of the host.
> That's all ssh needs.
Agreed.
Cheers,
Gary
--
Gary V. Vaughan ([email protected])
