Hi friends,
I would like to make it harder to do SCP/SFTP transfers with libcurl against
unverified hosts. I mean setups when the server is unverified to be the
correct target. To verify an SSH host, you typically use a known hosts file or
a known publickey for the host.
For example, we could *require* one of those fields set to consider the host
verified and fail the transfer otherwise - and perhaps use a magic knownhosts
file name (like "[insecure]") to signal that doing an unverified connection is
ok. This is still to be determined.
I'm curious to learn more from people who do SCP or SFTP transfers with
libcurl to hear what you think about this problem and what possible fixes we
can do to improve the situation.
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
