Re: ssh-hostkey enhancement

[Jacek Wielemborek <wielemborekj1 () gmail com>]

2013/9/21 Patrick Donnelly <batrick () batbytes com>:
> On Fri, Sep 20, 2013 at 3:39 PM, Patrick Donnelly <batrick () batbytes com> wrote:
> > On Thu, Sep 19, 2013 at 5:40 PM, Fyodor <fyodor () nmap org> wrote:
> > > Hi George.  This is a neat feature but my initial thought is that if added
> > > to trunk, it should probably be off by default.  Users who want it could
> > > then set known-hosts.  Then again, if there are folks who would like to
> > > have it on by default, now is a good time to speak up.
> >
> > I told George to write it this way. I can understand hesitation
> > towards reading ~/.ssh/known_hosts. My opinion is that this is a
> > harmless improvement. However, I'm okay with this being turned on by
> > the user although I worry the script's enhanced functionality won't
> > see use as a result.
>
> Another option, possibly in addition to ~/.ssh/known_hosts, is to have
> a persistent ~/.nmap/known_hosts (?) so the user can track changes in
> ssh host keys. This has the benefit of not adding/reading the user's
> known_hosts file while giving Nmap a place to put keys it finds for
> future scans.
>
> --
> Patrick Donnelly
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

After reading the Mariusz "mzet" Ziulek's post (
http://seclists.org/nmap-dev/2013/q3/638 ) I just had the thought that
if the feature's going to be disabled by default, it probably somehow
should give the user the hint that it can be turned on. Perhaps a
message in the debug/verbose mode for example? Like when there are no
hosts found, to let the user know that she can possibly expand the
results?
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/