On Mon, Nov 21, 2011 at 07:44:13PM -0000, Scott Moser wrote:
> I don't think there is enough information to create an ssh known_hosts
> entry from the fingerprint. I've written a blog post at
> http://ubuntu-smoser.blogspot.com/2010/07/verify-ssh-keys-on-ec2-instances.html
> demonstrating how to check the host before connecting.
Ah, nice. This is a reasonable way to handle it for the moment.
> Unfortunately, I don't think we can reasonably ditch the old default
> behavior as many tools have been written to scrape console output looking
> for this formated string.
Right, I don't meant to ditch the fingerprint report, but instead, allow
one to skip the ssh-keyscan step, and just pull the .pub file directly out
of the console output. i.e. _add_ it to the console output.
On Mon, Nov 21, 2011 at 07:44:13PM -0000, Scott Moser wrote: ubuntu- smoser. blogspot. com/2010/ 07/verify- ssh-keys- on-ec2- instances. html
> I don't think there is enough information to create an ssh known_hosts
> entry from the fingerprint. I've written a blog post at
> http://
> demonstrating how to check the host before connecting.
Ah, nice. This is a reasonable way to handle it for the moment.
> Unfortunately, I don't think we can reasonably ditch the old default
> behavior as many tools have been written to scrape console output looking
> for this formated string.
Right, I don't meant to ditch the fingerprint report, but instead, allow
one to skip the ssh-keyscan step, and just pull the .pub file directly out
of the console output. i.e. _add_ it to the console output.
--
Kees Cook