Re: Putty: StrictHostKeyChecking



In article <lek*NBVHs@xxxxxxxxxxxxxxxxxxxxxxxxxxx> Jacob Nevins
<jacobn@xxxxxxxxxxxxxxxxxxxxxx> writes:
mk_gecko@xxxxxxxxx writes:
How do I set StrictHostKeyChecking=no when I use Putty? Do I have to
load Cygwin and run SSH to do this?

StrictHostKeyChecking is an OpenSSH-specific configuration option. I'm
assuming that the aspect of its behaviour that you're after in PuTTY
is the automatic acceptance of unknown host keys.

This isn't possible in PuTTY. This entry in the PuTTY FAQ is relevant:

Well, the FAQ entry seems to be talking about turning off host key
checking completely, which is *never* an aspect of the behaviour of
StrictHostKeyChecking - a key mismatch will always unconditionally abort
the connection, you don't even get a chance to say "yes".

I.e. even if you have StrictHostKeyChecking=no, the potential attacker
must not "just" subvert a router, he must already have it subverted
*and* target your very first connection to a previously unknown host.

I fully understand how accepting unknown keys at all is a problem, but I
suspect that if the original ssh implementation had required
pre-configured keys, ssh would have remained an exotic technology of
mainly academic interest, instead of becoming the ubiquitous standard
that it is today. Making the equivalent of StrictHostKeyChecking=ask the
default was exactly the right tradeoff decision IMHO.

--Per Hedeland
per@xxxxxxxxxxxx
.



Relevant Pages

  • Re: Opening ports in my firewall
    ... >> only with DSA keys, and not allowing manual password logins. ... - copy the .ssh directory to the new machine, if you control it, or ... Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org ...
    (comp.os.linux.security)
  • RE: sshd / ssh setup
    ... USA server and his windows/xp notebook to use SSH. ... followed sshd instruction and built ... and require users to submit keys. ...
    (freebsd-questions)
  • Re: Ported tools and SSH
    ... auditors are grumbling about SSH because it stores its keys in the open. ... simple and steps can often be taken to meet security requirements. ... Consider first z/OS SSH as a server: ...
    (bit.listserv.ibm-main)
  • Re: SSH via Expect disconnects
    ... using autoexpect was the answer (please refer to thread ... >> I have received one suggestion that I explore the idea of using keys ... >> have poured through the manpage for Expect as well as SSH, ... >>> I am using an expect script to initiate an SSH session to another host ...
    (comp.lang.tcl)
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... Man ssh ... ... Why is that, Peter? ... The firewall does help protect ... against someone stealing the keys and using them at another location. ...
    (comp.os.linux.misc)