Github user mike-jumper commented on a diff in the pull request:
https://github.com/apache/guacamole-server/pull/164#discussion_r191081186
--- Diff: src/common-ssh/ssh.c ---
@@ -518,6 +520,64 @@ guac_common_ssh_session*
guac_common_ssh_create_session(guac_client* client,
return NULL;
}
+ /* Check known_hosts, start by getting known_hosts file of user
running guacd */
+ struct passwd *pw = getpwuid(getuid());
+ const char *known_hosts = strcat(pw->pw_dir, "/.ssh/known_hosts");
+ LIBSSH2_KNOWNHOSTS *ssh_known_hosts = libssh2_knownhost_init(session);
+ libssh2_knownhost_readfile(ssh_known_hosts, known_hosts,
LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+
--- End diff --
> Okay, I've gone with the approach that known_hosts of the user running
guacd will be read and checked against (in addition to any provided host key in
the configuration parameters).
Any reason behind checking against two sources? If a host key is specified
via the connection parameters, shouldn't that override a local `known_hosts`
entirely?
> Or would you still prefer an explicit enable parameter for checking the
known_hosts file at all?
What about only checking local `known_hosts` if (1) the host key parameter
is not provided and (2) the file exists?
---
