Home |
Licence |
FAQ |
Docs |
Download |
Keys |
Links
Mirrors |
Updates |
Feedback |
Changes |
Wishlist |
Team
When people want to run PuTTY tools in a batch-mode context, and find
the host key verification to be inconvenient, we've always told them
to add the right host key to the registry ahead of time, rather than
asking us for an option to accept
any old key or bodging a similar thing using expect
-type
tools.
However, in some contexts this actually can't be done, because the Windows registry isn't accessible in the environment where PuTTY needs to run. So it would be useful to be able to specify the expected host key in a different way, e.g. with a command-line option.
Another use for the same facility is in the case where a round-robin DNS name points at multiple servers with different host keys, and the user wants to connect to the round-robin name and accept any of the host keys that might come back. We've generally advised people in this situation to try to arrange for all the servers to have the same host key (on the basis that if the servers are so interchangeable that it doesn't matter which one you connect to, then they must be in the same trust domain anyway and so there's no security risk introduced by each of them being able to spoof the others' SSH connections), but of course not every user is also the sysadmin of their servers, so some people will have to live with different host keys. Those users will also find PuTTY's standard host key policy to be unhelpful, and would probably find it more useful to be able to specify a list of host keys to be accepted.
2014-09-09: now implemented both a -hostkey
command line option and a matching GUI configuration mechanism. You
can enter either an SSH key fingerprint or an SSH-2 base64-encoded
blob. If enabled, this option completely replaces the automated host
key management – the registry host key store will be neither
consulted nor updated.
Audit trail for this wish.