Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 broken with libssh #4971
Handling the CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 option (also exposed in the curl command-line tool with --hostpubmd5) is hopelessly broken when compiled with libssh (as opposed to libssh2, where it does function as documented).
Thank you, very speedy!
In the interim I was using a quick copy-paste job from
It's probably not worth any further effort. While CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 technically functions now, it's still practically pointless. Most ssh servers have multiple host keys, and the libcurl developer has no influence over which one will be picked for verification here. For my same test server, libssh verifies against the fingerprint of the
Then again I only ever ended up experimenting with this because of #4972, when for an extended time I couldn't figure out why I cannot make the verification fail on one of my test systems through the file I set as CURLOPT_SSH_KNOWNHOSTS, and was panicking it wasn't doing the verification at all. Turned out it was actually doing the verification, only ignoring my KNOWNHOSTS setting, and picking up the OpenSSH configuration instead… But that's the other report.
I don't know the etiquette on if I should choose the "Close" button myself now, so I'm leaving it as is, but I do consider this bug report fixed & closed. Thank you!
Thanks for that additional information. I agree it's rather complicated. I do not have a libssh build and I'm not familiar enough with the SSH code to have a strong opinion. We can leave this open for feedback. I've since updated the libssh check to more closely match the one in libssh2 and pushed those changes to the PR, if you could try that.