-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEAT] - please support signed host keys #2277
Comments
#771 and the associated #2270 should allow paramiko to at least parse entries in Are you also requesting that paramiko implement the ability to verify the host cert against a CA? Or will the "it will at least parse ok" functionality of #2270 suffice for your needs? |
No idea what @harridu's intent was, but I'd like to request that Paramiko implement the ability to verify the host cert against a CA. 😁 |
Noted. You may consider the feature requested. 😄 |
Sorry, I should have provided more information right from the start. Paramiko throws an exception, if the host key is signed:
To create a signed host key using openssh, please check the various guidelines on the net, eg. https://www.lorier.net/docs/ssh-ca.html. I have to admit, I have no idea whether this signed host key thing is a standard feature supported by other ssh implementations as well. Paramiko is version 2.12.0, as included in Debian 12. Python is version 3.11.2 Hope this helps. |
Hm... as best I understand, signed key creation would be yet another feature... so, a third:
To make sure I understand - are you requesting that paramiko support (3), @harridu? Or were you only describing key creation for context? My two cents... I'm skeptical of whether bitprophet would consider (3) as in-scope for paramiko. I don't think the project is aiming to be a Python interface for the totality of the OpenSSH tool/suite, just the parts dealing with connecting to and communicating with clients/servers. |
I would be happy with (2) |
Is this feature for paramiko acting as a client or a server?
Client
What functionality does this feature request relate to?
known_hosts
For client-side features, does this relate to a specific type of SSH server?
No response
If you're using paramiko as part of another tool, which tool/version?
No response
Desired behavior
Host keys are very hard to verify. I would guess that nobody really does. To mitigate the problem openssh supports signed host keys. Apparently paramiko throws an internal error if the peers host key is signed. At least dput-ng (the Debian package based upon paramiko) does.
It would be very nice if paramiko could support signed host keys as well.
Anything else?
No response
The text was updated successfully, but these errors were encountered: