Github user mike-jumper commented on a diff in the pull request: https://github.com/apache/guacamole-server/pull/164#discussion_r191081186 --- Diff: src/common-ssh/ssh.c --- @@ -518,6 +520,64 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client, return NULL; } + /* Check known_hosts, start by getting known_hosts file of user running guacd */ + struct passwd *pw = getpwuid(getuid()); + const char *known_hosts = strcat(pw->pw_dir, "/.ssh/known_hosts"); + LIBSSH2_KNOWNHOSTS *ssh_known_hosts = libssh2_knownhost_init(session); + libssh2_knownhost_readfile(ssh_known_hosts, known_hosts, LIBSSH2_KNOWNHOST_FILE_OPENSSH); + --- End diff -- > Okay, I've gone with the approach that known_hosts of the user running guacd will be read and checked against (in addition to any provided host key in the configuration parameters). Any reason behind checking against two sources? If a host key is specified via the connection parameters, shouldn't that override a local `known_hosts` entirely? > Or would you still prefer an explicit enable parameter for checking the known_hosts file at all? What about only checking local `known_hosts` if (1) the host key parameter is not provided and (2) the file exists?
---