PuTTY wish hostkey-policy

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Enhanced flexibility in SSH host key selection policy
class: wish: This is a request for an enhancement.
difficulty: tricky: Needs many tuits.
priority: medium: This should be fixed one day.

PuTTY's SSH-2 host key selection policy currently involves a fixed preference order of RSA then DSA. I occasionally think it would be good to add a preference list to tweak the policy, either to put DSA first (if you're really mad) or to move DSA to below the "warn below this line" line.

When there's a choice of host keys available for a host, perhaps PuTTY should adjust its stated preferences so that the ones it already has cached come first. Need to think about that a bit. At the very least, when a new host key prompt is given, PuTTY should mention if it already has host keys for a host in other formats - particularly important when the default protocol changes to SSH-2, or a server that previously offered DSS keys starts supporting RSA too.

Finally, there's currently undesirable behaviour in PSFTP if you click "accept once" on a host key at startup and then leave the connection open for long enough to trigger a rekey timeout: since the host key has only been accepted once, PSFTP puts up the confirmation message again, in the middle of a command-line session, which is pretty nasty. Certainly at the very least we should treat "accept once" on a host key to mean accept for the whole of a session rather than for a single KEX; additionally, we probably ought to think about some sort of sensible behaviour if the host key we initially accepted has disappeared by rekey time.

Audit trail for this wish.


If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2008-06-01 14:56:29 +0100)