cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl and libssh2

From: Michael Wood <>
Date: Wed, 14 Oct 2009 10:50:42 +0200

2009/10/14 Xu, Qiang (FXSGSC) <>:
>> -----Original Message-----
>> From:
>> [] On Behalf Of Michael Wood
>> I have never used libcurl's libssh2 support, but according to this:
>> it looks like you can either use
>> CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 to specify the MD5 hash of
>> the remote hosts key, or you can make sure the host key is
>> cached in the .ssh/known_hosts file.
> It seems the host key is already in the file ~/.ssh/known_hosts:
> ==================================================
> ==================================================
> The above is the content of the file, although it seems meaningless to me. :-(

The AAAAB3... part is the key and you can see it is an RSA key.

>> Anyway, you would need to verify that this key is correct,
>> otherwise you would be vulnerable to man in the middle
>> attacks, so maybe libcurl just thinks it's someone else's
>> problem to get the key before telling libcurl to connect to
>> the remote machine.
> How to verify the key is correct? What toolkit shall I use?

Compare it to the public host key file on the server :)

e.g. have a look at /etc/ssh/ (or maybe
/usr/local/etc/ssh... depending on how sshd is installed.)

You can also use ssh-keygen to show you fingerprints instead of the whole key:

On the server:
ssh-keygen -l -f /etc/ssh/

On the client:
ssh-keygen -F -l -f ~/.ssh/known_hosts

Michael Wood <>
List admin:
Received on 2009-10-14