No way to enable StrictHostKeyChecking #123
Comments
|
As far as I know this options only bypass the checking of Anyways, gonna include this option on the list of custom params. |
Not exactly. If you have signed host keys, a client can authenticate a host without needing their specific key in
This is a side effect, not the primary use case of disabling host key checking. More precisely, disabling host key checking is simply a "do not try to authenticate the host", maybe with the assumption that you're already on a secure network. I'm all for a modal that pops up on connect that says "You've never connected to this host before so we cannot verify its security. Do you trust that this is a secure connection?" |
|
Unfortunately there is no such interface that allow this iteration with the CLI tool. SSHFS-WIn runs inside its own shell which impossibilite manipulation of stdin. |
|
I'm not following what you're saying. You could remove these two lines and the connections would be securable. Yes, it might be annoying/difficult to send the "Y" that is needed to tell the underlying ssh to accept the key, but that's a separate issue. Maybe this is what you're talking about? But I'm rather certain it's easy to manipulate |
|
Things are a bit more complicated tho... The only moment I'm allowed to interact with the SSHFS-Win shell is when it asks for the server password. And that is only allowed with the option You can try it by yourself. If you manage to make it happen, I will be very glad to merge your PR. 😁 |
I try to ensure my systems' connections are secure. Looking at SSHFS-Win's debug output, I saw "
-oStrictHostKeyChecking=no" which specifically enables man-in-the-middle attacks.Looking at the source code, there seems to be no way to enable it as it is forced off.
Would you consider fixing this security flaw?
IMHO, the default behavior should be to reject bad hosts and have a checkbox to disable host key checking.
The text was updated successfully, but these errors were encountered: