luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CURLOPT_SSH_KNOWNHOSTS.md: strongly recommend using this

Browse Source 
Make setopt fail for SSH backends not supporting knownhosts or pub md5

Closes #16204
This commit is contained in:
Daniel Stenberg 2025-02-06 11:09:06 +01:00
parent 58674865fe
commit 3f7f180901
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/libcurl/opts/CURLOPT_SSH_KNOWNHOSTS.md
View File

@ -7,6 +7,7 @@ Source: libcurl
See-also: See-also:
- CURLOPT_SSH_AUTH_TYPES (3) - CURLOPT_SSH_AUTH_TYPES (3)
- CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 (3) - CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 (3)
- CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 (3)
Protocol: Protocol:
- SFTP - SFTP
- SCP - SCP
@ -29,10 +30,14 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSH_KNOWNHOSTS, char *fname);
Pass a pointer to a null-terminated string holding the filename of the Pass a pointer to a null-terminated string holding the filename of the
known_host file to use. The known_hosts file should use the OpenSSH file known_host file to use. The known_hosts file should use the OpenSSH file
format as supported by libssh2. If this file is specified, libcurl only format. If this file is specified, libcurl only accepts connections with hosts
accepts connections with hosts that are known and present in that file, with a that are known and present in that file, with a matching public key. Use
matching public key. Use CURLOPT_SSH_KEYFUNCTION(3) to alter the default CURLOPT_SSH_KEYFUNCTION(3) to alter the default behavior on host and key
behavior on host and key matches and mismatches. matches and mismatches.
We strongly suggest users doing SCP or SFTP transfers to set this option to
make sure that the network communication is done with the intended server and
not an impostor.
The application does not have to keep the string around after setting this The application does not have to keep the string around after setting this
option. option.

3
lib/setopt.c
View File

@ -2425,6 +2425,7 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
*/ */
return Curl_setstropt(&data->set.str[STRING_SSH_PRIVATE_KEY], ptr); return Curl_setstropt(&data->set.str[STRING_SSH_PRIVATE_KEY], ptr);
#if defined(USE_LIBSSH2) || defined(USE_LIBSSH)
case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5: case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:
/* /*
* Option to allow for the MD5 of the host public key to be checked * Option to allow for the MD5 of the host public key to be checked
@ -2437,7 +2438,7 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
* Store the filename to read known hosts from. * Store the filename to read known hosts from.
*/ */
return Curl_setstropt(&data->set.str[STRING_SSH_KNOWNHOSTS], ptr); return Curl_setstropt(&data->set.str[STRING_SSH_KNOWNHOSTS], ptr);
#endif
case CURLOPT_SSH_KEYDATA: case CURLOPT_SSH_KEYDATA:
/* /*
* Custom client data to pass to the SSH keyfunc callback * Custom client data to pass to the SSH keyfunc callback