nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00
Code Issues Projects Releases Wiki Activity

Add a rant to the FAQ about host key checking. I'm _sick_ of people

Browse Source 
implementing a command line option to disable it and expecting us to
cheerfully accept the patch.

[originally from svn r1382]
This commit is contained in:
Simon Tatham 2001-11-13 23:13:07 +00:00
parent 085c31e3a4
commit 89b429e9d9
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
doc/faq.but
View File

@ -101,6 +101,41 @@ authentication, which is more flexible and more secure. See
\k{pubkey} in the documentation for a full discussion of public key
authentication.
\S{faq-hostkeys} Is there an option to turn off the annoying host
key prompts?
No, there isn't. And there won't be. Even if you write it yourself
and send us the patch, we won't accept it.
Those annoying host key prompts are the \e{whole point} of SSH.
Without them, all the cryptographic technology SSH uses to secure
your session is doing nothing more than making an attacker's job
slightly harder; instead of sitting between you and the server with
a packet sniffer, the attacker must actually subvert a router and
start modifying the packets going back and forth. But that's not all
that much harder than just sniffing; and without host key checking,
it will go completely undetected by client or server.
Host key checking is your guarantee that the encryption you put on
your data at the client end is the \e{same} encryption taken off the
data at the server end; it's your guarantee that it hasn't been
removed and replaced somewhere on the way. Host key checking makes
the attacker's job \e{astronomically} hard, compared to packet
sniffing, and even compared to subverting a router. Instead of
applying a little intelligence and keeping an eye on Bugtraq, the
attacker must now perform a brute-force attack against at least one
military-strength cipher. That insignificant host key prompt really
does make \e{that} much difference.
If you're having a specific problem with host key checking - perhaps
you want an automated batch job to make use of PSCP or Plink, and
the interactive host key prompt is hanging the batch process - then
the right way to fix it is to add the correct host key to the
Registry in advance. That way, you retain the \e{important} feature
of host key checking: the right key will be accepted and the wrong
ones will not. Adding an option to turn host key checking off
completely is the wrong solution and we will not do it.
\S{faq-server} Will you write an SSH server for the PuTTY suite, to
go with the client?