[X2Go-Dev] Feature Request: update ssh public key fingerprint from within x2goclient
John A. Sullivan III
jsullivan at opensourcedevel.com
Fri Feb 17 15:42:59 CET 2012
On Fri, 2012-02-17 at 14:41 +0100, newsgroups.mail2 at stefanbaur.de wrote:
> Hi list,
>
> after swapping a server and trying to connect to it with X2Go,
> x2goclient greets me with
>
> ---------------------------
> Authentification failed
> ---------------------------
> Host key for server changed.
> It is now: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> For security reasons, connection will be stopped
> ---------------------------
> OK
> ---------------------------
>
> In the same situation, the NX client would ask if the key should be updated.
>
> I can see that offering such a direct option is a good idea from a
> usability viewpoint, but a bad one from a security viewpoint, as users
> tend to click yes/allow on every popup they see.
>
> The current approach of x2goclient is the total opposite.
>
> A moderately experienced Linux user might figure out that ssh-keygen -R
> <hostip> will help, but to a Windows user, this will be an unsolvable
> mystery.
>
> I would like to suggest adding an option to remove/update the key from
> within the X2Go-Client. However, to avoid "user click-through", it
> should be somewhere in the menu, and the popup message should be amended
> with a note pointing to that menu.
<snip>
That's an interesting compromise :) - John
More information about the x2go-dev
mailing list