How to host key fingerprint when connecting
Brought to you by:
zc2
Menu
▾
▴
#23 How to host key fingerprint when connecting
Is there a way to check the key fingerprint of the SFTP server before entering the user's password? When connecting to an SFTP server that has been used before, does Ghost Commander check that the key fingerprint is the same as in previous sessions? I don't see a way to do these things, but without them, there is no defence against man-in-the-middle attacks. If there's a way to do it, even a kludge, I'd like to know about it.
If the capability does not exist already, it could be added in the "Connect to SSH FTP" dialog. When the dialog is first displayed, the "Password" field could be hidden. When the user presses "OK", the key fingerprint could be displayed. If is is unchanged from the previous session, the "Password" field could then be displayed. If the site is new or the key fingerprint is changed since the last session, the user could be asked to press "OK", then the "Passoword" field could be displayed.
Thanks for Ghost Commander!
I am using Ghost Commander 1.54.1b1 with SFTP Plugin 1.13.1.
Thank you for a good suggestion. I guess I will start with showing the
fingerprint.
Hello zc2 - It would be GREAT if you could show the server key fingerprint even if that is all that you do. I would be best to show it BEFORE the password is entered by the user, so that the user can verify the connection to the server is secure before they enter the password.
Please give the latest beta versions a try. You need both SFTP plugin and the application.
Hello zc2
I tried it and it seems to work. I'm using an Asus TF700t running Cyanogenmod 11 which is Android 4.4.4 IIRC.
Thank you for doing this.
Hello zc2
I'm using the latest release now and the key fingerprint display seems to no longer be implemented. I notice that there's no longer a separate SFTP plugin - maybe the key fingerprint display got lost in the shuffle.
Can we have this back? I'd be willing to put some time into creating the code for a version that also remembers "known hosts" (like command line ssh) but would need some help getting familiar with the code.
Hello Jack,
For a while I was keeping two different versions of the SFTP client which used different underlying SSH libraries. The one I finally merged with the app shows prompts that the SSH library pushes from the server, so I just show it as it comes. I will think how could I prepend it with a fingerprint.
I believe, the known_hosts feature is already implemented. What were the symptoms that made you conclude that it does not?
If you want to learn the code, I'd glad to help and answer questions you may have. We could have a Zoom screen sharing meeting if you want to.
Hello zc2,
Thanks for your quick reply!
My mistake - you are correct - known_hosts is implemented. I thought it was not because I went to an SFTP server that I thought I had not visited before and did not get a "The autheticity of host *** can't be established" message. Looks like I had in fact visited that host previously so it was a "known_host", hence no message. I confirmed this by uninstalling and reinstalling Ghost Commander - then I was shown the message on my first access. I recognize the message text - looks like you are using the OpenSSH library.
A security concious user might like to be able to display the "known_host" key fingerprints for manual verification - when I get some time maybe I can look at how that could be done.
Thanks again for Ghost Commander!
Host fingerprint is now displayed when a password is asked. Please give a try.
OK - tried it - it works! Thanks!
I'd like to simulate a MITM attack (server presents a key that is NOT the one in known_hosts) to see what that looks like to the user. Will take me a while - I don't set up SSH keys often enough to remember the key setup procedure without looking at the docs.