Question about HostKeyVerification #839
-
|
There is code to verify the HostKey. Why is this needed when you have What happens if we turn off the trans.getConfig().isVerifyHostKeyCertificates(), do we also turn off the HostKeyVerifications registered in The server I am connecting to is using VerifyHostKeyDNS and this does not seem supported. Thanks for any response. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
No, this does not verify the host key itself (which could be a certificate!), but rather whether we trust the signature on the certificate if the host key is a certificate. It could be for instance that you you've added the (certificate) host key to your The |
Beta Was this translation helpful? Give feedback.
-
|
Ok. thanks for the reply. Is there a way to use VerifyHostKeyDNS with this library? On the command line this works even though the server |
Beta Was this translation helpful? Give feedback.
-
|
Currently this is not available. quickly glancing through the docs for sshfp, it should be possible to add though. |
Beta Was this translation helpful? Give feedback.
No, this does not verify the host key itself (which could be a certificate!), but rather whether we trust the signature on the certificate if the host key is a certificate.
It could be for instance that you you've added the (certificate) host key to your
known_hosts, but at a certain moment in time the certificate becomes revoked, the signing CA gets breached and retracts the root certificate, etc. It adds a layer of security.The
HostKeyVerifierjust checks whether the hostkey is known, by checking a hardcoded/configured fingerprint, looking at yourknown_hostsfile, or just blindly accepting all.