cURL / Mailing Lists / curl-library / Single Mail


RE: libcurl and libssh2

From: Xu, Qiang (FXSGSC) <>
Date: Wed, 14 Oct 2009 16:24:47 +0800

> -----Original Message-----
> From:
> [] On Behalf Of Michael Wood
> Sent: Wednesday, October 14, 2009 4:03 PM
> To: libcurl development
> Subject: Re: libcurl and libssh2
> I have never used libcurl's libssh2 support, but according to this:
> it looks like you can either use
> CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 to specify the MD5 hash of
> the remote hosts key, or you can make sure the host key is
> cached in the .ssh/known_hosts file.

It seems the host key is already in the file ~/.ssh/known_hosts:
================================================== ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqmvaJxoMOyeNAW5HPPP8OJtqOX2bBg
durian ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqmvaJxoMOyeNAW5HPPP8OJtqOX2bBg84NjFHn
The above is the content of the file, although it seems meaningless to me. :-(
> To get the key into the known_hosts files, you can just try
> to run the ssh command line tool to connect to the remote
> machine. It does not seem like there is a way to do it from
> within libcurl, but maybe I am wrong.
> Anyway, you would need to verify that this key is correct,
> otherwise you would be vulnerable to man in the middle
> attacks, so maybe libcurl just thinks it's someone else's
> problem to get the key before telling libcurl to connect to
> the remote machine.

How to verify the key is correct? What toolkit shall I use?

Xu Qiang
List admin:
Received on 2009-10-14