On 2008-05-26 at 10:12:49, Colin Watson wrote: > On Wed, May 14, 2008 at 07:13:32PM +0100, martin f krafft wrote: > > Just an idea without having given it much thought: > > > > if there are host key fingerprints in DNS, why not add > > a configuration option to ssh_config so that I could say: > > > > Host foo > > HostKeyFingerprint 99:11:ed:30:03:41:ff:9f:f3:74:bd:7d:e1:8f:04:44 > > > > which would then cause even StrictHostKeyChecking to accept the host > > key into .ssh/known_hosts if the fingerprint matched? > > I'm not sure I understand. Why not just add the fingerprint to > ~/.ssh/known_hosts directly? What does putting it in the configuration > file gain you?
One way in which this would be helpful is not in the configuration file, but in scripting. All the options in ".ssh/config" can also be used on the command line. If you can write "ssh -o HostKeyFingerprint=foo", then you can securely connect in a script without needing "-o StrictHostKeyChecking=no". This would be enormously valuable as a way to write secure command-line scripts without having to embed a full public key. It would also match the new OpenSSH feature to allow specifying a fingerprint at the prompt. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature