Closed GoogleCodeExporter closed 9 years ago
>> * Verify that the criteria for checking entries in known_hosts is correct
and secure. Would it be sin to validate against IP when connecting to a
hostname? Should I be checking (hostname,IP) pair? Should we validate if
the FQDN is a known host? WhdoesOpenSSHdoexactly?
OpenSSH seems to just go with whatever hostname you provide on command-line,
and not
go to lengths to do a name-resolution etc. This seems sensible, really.
So now SSHClient overrides SocketClient's connect(*) methods where the user
directly
provides a hostname, and additionally saves this hostname. This gets passed on
to
TransportProtocol in init(String,Socket). If the hostname is not null, it will
be
used for host key verification; otherwise the socket's
.getRemoteAddress().getHostName() [no other way to gauge user intent, or is
there... hm]
< Note that wherever "hostname" was used might well be an IP address string >
Original comment by shik...@gmail.com
on 16 Aug 2009 at 12:03
>>>
* Verify that hostbased auth works since my testing while implementing was
hackish. Is the API appropriate?
* Verify windowing implementation
<<<
Moving to separate issue, closing this.
Original comment by shik...@gmail.com
on 16 Aug 2009 at 12:12
Original comment by shik...@gmail.com
on 16 Aug 2009 at 12:12
Original issue reported on code.google.com by
shik...@gmail.com
on 26 Jul 2009 at 10:00