I've noticed that in openssh 2.3.0 when I connect to a new server or to
one on which the host key has changed, it warns me that the key is unknown
or changed, but doesn't show me the host key fingerprint so I can verify
it. This goes for both protocols 1 (RSA host key) and 2 (DSA host key). I
remember that older versions used to display a warning and the
fingerprint and ask if I still wanted to connect (yes/no).
I'm considering submitting a bugreport for this, since upon connection to
an unknown host the fingerprint is not displayed, and if
StrictHostKeyChecking is off, the new key is -automatically- added to the
known hosts file without any prompting (and password authentication is
allowed without warning). (If StrictHostKeyChecking is on, all access to
the host is denied without a known hosts entry.)
Please let me know if I'm missing an option which turns display of
fingerprint & prompting on. Though, even if there is, I think it should be
on by default... let advanced users turn it off rather than the other way
around.
Noam Sturmwind
