Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Putty: StrictHostKeyChecking
May 25, 2009, 12:37 am
rate this thread
Re: Putty: StrictHostKeyChecking
StrictHostKeyChecking is an OpenSSH-specific configuration option. I'm
assuming that the aspect of its behaviour that you're after in PuTTY
is the automatic acceptance of unknown host keys.
This isn't possible in PuTTY. This entry in the PuTTY FAQ is relevant:
A.2.9 Is there an option to turn off the annoying host key prompts?
No, there isn't. And there won't be. Even if you write it yourself
and send us the patch, we won't accept it.
Those annoying host key prompts are the _whole point_ of SSH.
Without them, all the cryptographic technology SSH uses to secure
your session is doing nothing more than making an attacker's job
slightly harder; instead of sitting between you and the server with
a packet sniffer, the attacker must actually subvert a router and
start modifying the packets going back and forth. But that's not all
that much harder than just sniffing; and without host key checking,
it will go completely undetected by client or server.
Host key checking is your guarantee that the encryption you put on
your data at the client end is the _same_ encryption taken off the
data at the server end; it's your guarantee that it hasn't been
removed and replaced somewhere on the way. Host key checking makes
the attacker's job _astronomically_ hard, compared to packet
sniffing, and even compared to subverting a router. Instead of
applying a little intelligence and keeping an eye on Bugtraq, the
attacker must now perform a brute-force attack against at least one
military-strength cipher. That insignificant host key prompt really
does make _that_ much difference.
If you're having a specific problem with host key checking - perhaps
you want an automated batch job to make use of PSCP or Plink, and
the interactive host key prompt is hanging the batch process - then
the right way to fix it is to add the correct host key to the
Registry in advance. That way, you retain the _important_ feature of
host key checking: the right key will be accepted and the wrong ones
will not. Adding an option to turn host key checking off completely
is the wrong solution and we will not do it.
If you have host keys available in the common known_hosts format, we
have a script called kh2reg.py to convert them to a Windows .REG
file, which can be installed ahead of time by double-clicking or
Re: Putty: StrictHostKeyChecking
Well, the FAQ entry seems to be talking about turning off host key
checking completely, which is *never* an aspect of the behaviour of
StrictHostKeyChecking - a key mismatch will always unconditionally abort
the connection, you don't even get a chance to say "yes".
I.e. even if you have StrictHostKeyChecking=no, the potential attacker
must not "just" subvert a router, he must already have it subverted
*and* target your very first connection to a previously unknown host.
I fully understand how accepting unknown keys at all is a problem, but I
suspect that if the original ssh implementation had required
pre-configured keys, ssh would have remained an exotic technology of
mainly academic interest, instead of becoming the ubiquitous standard
that it is today. Making the equivalent of StrictHostKeyChecking=ask the
default was exactly the right tradeoff decision IMHO.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum