2009/10/14 Xu, Qiang (FXSGSC) <[email protected]>: >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Michael Wood [...] >> I have never used libcurl's libssh2 support, but according to this: >> >> http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#SSH >> >> it looks like you can either use >> CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 to specify the MD5 hash of >> the remote hosts key, or you can make sure the host key is >> cached in the .ssh/known_hosts file. > > It seems the host key is already in the file ~/.ssh/known_hosts: > ================================================== > 13.198.98.190 ssh-rsa > AAAAB3NzaC1yc2EAAAABIwAAAQEAqmvaJxoMOyeNAW5HPPP8OJtqOX2bBg [...] > ================================================== > The above is the content of the file, although it seems meaningless to me. :-(
The AAAAB3... part is the key and you can see it is an RSA key. >> Anyway, you would need to verify that this key is correct, >> otherwise you would be vulnerable to man in the middle >> attacks, so maybe libcurl just thinks it's someone else's >> problem to get the key before telling libcurl to connect to >> the remote machine. > > How to verify the key is correct? What toolkit shall I use? Compare it to the public host key file on the server :) e.g. have a look at /etc/ssh/ssh_host_rsa_key.pub (or maybe /usr/local/etc/ssh... depending on how sshd is installed.) You can also use ssh-keygen to show you fingerprints instead of the whole key: On the server: ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub On the client: ssh-keygen -F 13.198.98.190 -l -f ~/.ssh/known_hosts -- Michael Wood <[email protected]> ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
