From unknown Fri Aug 15 12:49:00 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#18967 <18967@debbugs.gnu.org> To: bug#18967 <18967@debbugs.gnu.org> Subject: Status: Tramp disables important SSH security features Reply-To: bug#18967 <18967@debbugs.gnu.org> Date: Fri, 15 Aug 2025 19:49:00 +0000 retitle 18967 Tramp disables important SSH security features reassign 18967 emacs submitter 18967 Daniel Colascione severity 18967 normal tag 18967 security thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 05 19:48:21 2014 Received: (at submit) by debbugs.gnu.org; 6 Nov 2014 00:48:21 +0000 Received: from localhost ([127.0.0.1]:50605 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmBFM-0002MI-Mz for submit@debbugs.gnu.org; Wed, 05 Nov 2014 19:48:20 -0500 Received: from eggs.gnu.org ([208.118.235.92]:41847) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmBFK-0002M5-8s for submit@debbugs.gnu.org; Wed, 05 Nov 2014 19:48:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XmBFB-0004jh-QD for submit@debbugs.gnu.org; Wed, 05 Nov 2014 19:48:17 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:48635) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XmBFB-0004jc-NK for submit@debbugs.gnu.org; Wed, 05 Nov 2014 19:48:09 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43533) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XmBF5-0004sw-87 for bug-gnu-emacs@gnu.org; Wed, 05 Nov 2014 19:48:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XmBEy-0004hw-Li for bug-gnu-emacs@gnu.org; Wed, 05 Nov 2014 19:48:03 -0500 Received: from dancol.org ([96.126.100.184]:50390) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XmBEy-0004hD-9u for bug-gnu-emacs@gnu.org; Wed, 05 Nov 2014 19:47:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; s=x; h=Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=rh7AY1tR7Th8Sxtx7Kuaa2qsSu2mYdhyYF2zUbn7DHM=; b=neSvEHv4cMNMDJpv0SPRZ9+l2pAdu8u9AofA819j8qvMNw0Jnzf7skI/1htzbSN9nKJgqQk1bnnbjG8qBsCuDBP1v20Ag6s/J6RQXSQmBk60HG2zY1OfkjfLcNbdOMqpvVUfslD53MzWEMXihiQ1VSMFdrP490TlNy6wK294fd+EwAmr176qBQzAbcaBhwEjSyz2+FsIJKSny+9bBG8sDKuFNs5pZBanGBEEFVv8pHxrBTaoXx3U1vsOMyZIFL7VRT2Ik0CoHkz+6JP5jaASGSkqQ7WrfMkmVgh9wkO7kDmN1pJ6YLh4CNgNGA0ffQR/eaZ6q0ChO2sAUshoEIUIuA==; Received: from [199.201.65.2] (helo=[172.30.31.127]) by dancol.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84) (envelope-from ) id 1XmBEp-0000MD-Ju for bug-gnu-emacs@gnu.org; Wed, 05 Nov 2014 16:47:47 -0800 Message-ID: <545AC52C.1090807@dancol.org> Date: Thu, 06 Nov 2014 00:47:40 +0000 From: Daniel Colascione User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: bug-emacs Subject: Tramp disables important SSH security features Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xXl1JqxlMGcUo1iOb6EOGR2UTh6EaeWXa" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xXl1JqxlMGcUo1iOb6EOGR2UTh6EaeWXa Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Tramp disables SSH host key checks by setting GlobalKnownHostsFile=3D/dev/null, UserKnownHostsFile=3D/dev/null, and StrictHostKeyChecking=3Dno in its default method configuration. These settings allow attackers to intercept connections to remote hosts, sniff passwords, and cause other mischief. I don't think we should ship an insecure configuration. --xXl1JqxlMGcUo1iOb6EOGR2UTh6EaeWXa Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUWsUsAAoJEN4WImmbpWBlJ0oP/jU+WEC4WKvS9c88H0Jj3S31 4EU9mTE7GlII62jJadY6uYsv/WdpfwkJ6pfpCwjB70/vdR36ezOHXT+NctqtOPoi Y2w8ufCJkVF8+H45x7cV8d5Ooj2hFn2YjwHth1IbYmm0oDzIRKrKWJd08SWWXUxt OQv5k8wVQD4CAUxg6MRBIGIFF6/6FpJwpxgsiEDeHBexxytxry0kF0CzS+7X+1gb QbRDcRZAg2t3mI/I3tujKIVA8rqGnFqwowfiekfJZ3gwlnGYn23PvJRVF6Jf6Nzz FrW5SkRmsaVUSCsw1iUy+d814uvw21DHHeHHbIY4pHjvSG3O13tpDWsJP3yJBAlI vSc4aHivClnH2da7hvotC1l/OCfXFoHU1E3/6LYsxkrsZa/toPg1M4ZVMLdhGKwn CCBwluyhcXx199q6Oxe8BJZaXAKftsAzVWSxnKnShlCzIVum/e1mHdgZhe+GC1qJ qw8s3PAVKPHbe79kqFwSN2xjYO+b1q7HUoNhoVvC5lsmFVgWRnSZThXMxsfQRG/o gE2W/TrbYcEvugsQZqJqzpR+KwypO3FnAcEMN3JqQijcgmil04nDYwy3hXqR0cw7 LLfVaXIYjGnyAxgeGG5wXuxagFnx/6mAuCrtc7egY3jBxiLMOPR0secykaq/HB6p uhVrNq6EsAnxRomA3EDM =2IvW -----END PGP SIGNATURE----- --xXl1JqxlMGcUo1iOb6EOGR2UTh6EaeWXa-- From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 05 20:08:56 2014 Received: (at control) by debbugs.gnu.org; 6 Nov 2014 01:08:56 +0000 Received: from localhost ([127.0.0.1]:50622 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmBZI-0003Lw-0i for submit@debbugs.gnu.org; Wed, 05 Nov 2014 20:08:56 -0500 Received: from fencepost.gnu.org ([208.118.235.10]:46466) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmBZH-0003Lp-06 for control@debbugs.gnu.org; Wed, 05 Nov 2014 20:08:55 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1XmBZG-000253-J6 for control@debbugs.gnu.org; Wed, 05 Nov 2014 20:08:54 -0500 Date: Wed, 05 Nov 2014 20:08:54 -0500 Message-Id: Subject: control message for bug 18967 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.6 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.6 (-----) tag 18967 security From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 06 07:05:29 2014 Received: (at 18967) by debbugs.gnu.org; 6 Nov 2014 12:05:29 +0000 Received: from localhost ([127.0.0.1]:51161 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmLoe-0004yT-GU for submit@debbugs.gnu.org; Thu, 06 Nov 2014 07:05:28 -0500 Received: from mail-qg0-f47.google.com ([209.85.192.47]:46751) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmLob-0004yK-AG for 18967@debbugs.gnu.org; Thu, 06 Nov 2014 07:05:26 -0500 Received: by mail-qg0-f47.google.com with SMTP id j107so570181qga.20 for <18967@debbugs.gnu.org>; Thu, 06 Nov 2014 04:05:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=JpGpy5haE0p7m8Pm8o15CXaRvigPJ9rT6loj4dH+yac=; b=dePmXrjhv/3MtcdIubkHCw41kjQBbChMhWt5ThoBOwKE3lVUrz+nuc1NuzEZNaVbAJ ENk93jc1W8XhRvT1d9QgXKxSubuAAMO1eJcFhb4rGzXpwCnYcLgciGAwB+DHcfcNtugq RCOJPM1vGHi7zp9b7qx5QfVMwjyU7/Btz6BMY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=JpGpy5haE0p7m8Pm8o15CXaRvigPJ9rT6loj4dH+yac=; b=j4XwcjGs5fcmr+oFZpwinKp+LRdHl3tq5bDnOSymqfPERtvrGXf/ZTldd0jZzMiRjk muG5IKAaHa5SVsE9Am6GZ3p35k0IepnF931UrxgR4u1X9Y3YoAbesRN44/P3CBgGNFCR 1hoo9hhRor26VOKKX0Jn9Dj77LNJpCL2d/s+WQIcBlHxRekR9cAndX9TpKBXGtvKWUPZ Wdg5TBA/PKfIZKSGTWbnD5F+fhcssMMAJwYOvqOxwjs+bMCcKzaPMPWQUwLiXUG/TqVs YKVAYFDSJfvfO3exBujt/ZxwWesffTRlGYQyJOd5wpJYlotoAyrfCnzYRX4cnPnoubAZ XMkQ== X-Gm-Message-State: ALoCoQk6pMbAkHTNvnFIW21Ivf1VgKjJKMC/hCrj+wKzZUZOWlCwIk77C5vuhdSrMFzmvsl7OwP0 X-Received: by 10.224.16.135 with SMTP id o7mr5912143qaa.37.1415275524840; Thu, 06 Nov 2014 04:05:24 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id a9sm5688986qgf.7.2014.11.06.04.05.23 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 06 Nov 2014 04:05:24 -0800 (PST) From: Ted Zlatanov To: Daniel Colascione Subject: Re: bug#18967: Tramp disables important SSH security features Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos References: <545AC52C.1090807@dancol.org> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Thu, 06 Nov 2014 07:05:40 -0500 In-Reply-To: <545AC52C.1090807@dancol.org> (Daniel Colascione's message of "Thu, 06 Nov 2014 00:47:40 +0000") Message-ID: <874muczg8b.fsf@lifelogs.com> User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione wrote: DC> Tramp disables SSH host key checks by setting DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and DC> StrictHostKeyChecking=no in its default method configuration. These DC> settings allow attackers to intercept connections to remote hosts, sniff DC> passwords, and cause other mischief. I don't think we should ship an DC> insecure configuration. I think the alternatives are something like what Ansible does: http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5 or a SSH client library as a FFI. SSH, when called externally, has many failure modes without those options. Ted From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 06 11:58:37 2014 Received: (at 18967) by debbugs.gnu.org; 6 Nov 2014 16:58:37 +0000 Received: from localhost ([127.0.0.1]:52031 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmQOK-0006hd-PK for submit@debbugs.gnu.org; Thu, 06 Nov 2014 11:58:37 -0500 Received: from dancol.org ([96.126.100.184]:34681) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmQOI-0006hT-TA for 18967@debbugs.gnu.org; Thu, 06 Nov 2014 11:58:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; s=x; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=A39oIlzOLGACfB4+LbIDxTmpzFsBC9uvQvdHXisKyaE=; b=hWh/Mr59yuSHlxdfsBiEXYkCblAMw1NKrTyejqaxVWEdk1SFbXL7/uWKEzj3cVBrnjE8iWR1WhE+ps519XJwEhgkLU+gcJvBGsJOusf9ELINBRywtRWRVi5BjoFGHq/QBE1q8HoYow8Xp1HppSLu/ZxPnC7qLdGO8Se7LGBeJQMliKUtLUsFMUGoXjxL5BnxdwjddDAi0UCl9zO3gsRX2rQE+mpyxihMkJ6J4AbL1L6GMlLJl8XfQjD73cnVFh2TnoU8lTDQUNvA6D2wkeostQf6uFu7bu93b7EFB/DkJHrG6x7JKbJ8rHrY7vtT0UQE07G00xDXIpwzqga1L6Boqg==; Received: from [195.89.19.114] (helo=[172.17.183.206]) by dancol.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84) (envelope-from ) id 1XmQOG-0005J2-0S; Thu, 06 Nov 2014 08:58:32 -0800 Message-ID: <545BA8B0.8060107@dancol.org> Date: Thu, 06 Nov 2014 16:58:24 +0000 From: Daniel Colascione User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: Ted Zlatanov Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> In-Reply-To: <874muczg8b.fsf@lifelogs.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3V0iu7sOcIXu1pESX576eI3JxxRUr53Ev" X-Spam-Score: -0.6 (/) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.6 (/) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3V0iu7sOcIXu1pESX576eI3JxxRUr53Ev Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 11/06/2014 12:05 PM, Ted Zlatanov wrote: > On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione wrote:=20 >=20 > DC> Tramp disables SSH host key checks by setting > DC> GlobalKnownHostsFile=3D/dev/null, UserKnownHostsFile=3D/dev/null, a= nd > DC> StrictHostKeyChecking=3Dno in its default method configuration. The= se > DC> settings allow attackers to intercept connections to remote hosts, = sniff > DC> passwords, and cause other mischief. I don't think we should ship a= n > DC> insecure configuration. >=20 > I think the alternatives are something like what Ansible does: > http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-i= n-ansible-1-5 > or a SSH client library as a FFI.=20 > SSH, when called externally, has many > failure modes without those options. So let it fail. Since when is it okay to trade diminished security for improved reliability? --3V0iu7sOcIXu1pESX576eI3JxxRUr53Ev Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUW6iwAAoJEN4WImmbpWBlEtoQAJK3s4hKZYYAEpO8eD1fzbXb tvhtu5InRlgmEHtiS8Z4CZyOS/9jYicv167b9Oes2Lo2EKN52b4kLSZvP2UkR8M8 H5/ZSKnyL3uf/2IUIf9K04/gSlkvMpFvBjvTqZlqAsDV2pKvZs9pyP2lnQaNGPl1 fVDTPZefV7dWMx+x83es006vgGsYWfaeDbRgdYAmio0M2IUiRYAJNOwwYcIeiWiT HjGFRRmb57WvNH/lpB60HLxl5TOo6E6nOp7ojUhFqbhgFFrGXabw30GwHZmMZwNG KiJhRX1mgS77pjNPk1EwnBQnrFiWiUxcv3OTlnPxX0X5ggVG1EqlgHTVG1VfWPCQ t7SUKS7gJsBSDWBdFPKrKelR02QCQyrlZYJ+Bi5BQQ5MdHNfEeEgNm+1HlyOhNr/ G5sv1zNeJ4pUr6FPAr/Chj43gQmcvF/7AUvxG1pA1y8l+rcuY0DAfiwD48p+ZpcC dgtjnOPbHU9JtUlN8r5FMpkODjPps5rV7BCj4LjntTFr4mWfFanRVI9+M735kJr+ J3ELTZva1KqS/PMKSy7zrBBxgNQt+v5h/tMiLX98EPiQG8wwpNjIIhVGgyuMKj9m tuEpc9VhV/13NDvnjwAVXz7TOAENQHlBfAVXhPvwm3QroOb0msrdvRc5qZ1CZm81 AUcRpT1fvUzdCZ8AP0kR =XZru -----END PGP SIGNATURE----- --3V0iu7sOcIXu1pESX576eI3JxxRUr53Ev-- From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 06 15:59:05 2014 Received: (at 18967) by debbugs.gnu.org; 6 Nov 2014 20:59:05 +0000 Received: from localhost ([127.0.0.1]:52128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmU92-0004GC-OE for submit@debbugs.gnu.org; Thu, 06 Nov 2014 15:59:04 -0500 Received: from mail-qg0-f42.google.com ([209.85.192.42]:48167) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmU90-0004Fp-7w for 18967@debbugs.gnu.org; Thu, 06 Nov 2014 15:59:02 -0500 Received: by mail-qg0-f42.google.com with SMTP id i50so1441754qgf.15 for <18967@debbugs.gnu.org>; Thu, 06 Nov 2014 12:59:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=8rB2Ktb48Ky3nhgQMMgqJpr/xA8DKa7DjlDpOgyLy/0=; b=u40L0yr5aCJQEnw1YKgAez9pxoITIPsm/waDmZBCLFf9j7iAoa80OoRcJ+jjNg3wN7 GDr6gYM3Tu81V3f5F5sBxLyfUDLhgr2W9aIiSdUTy8ZHvAkkm79jRH7QQZ89ouT8xuZO OtMZsTAEcTndG8WkFjLxrpYVuU5lm0aP5AM+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:organization:references :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=8rB2Ktb48Ky3nhgQMMgqJpr/xA8DKa7DjlDpOgyLy/0=; b=bOH/RenHZ3SmJtyuANf449zRisGdJjAuZ7TrW59vWw7KquYzxqCJqolzHJEjkc8sTD rFOhYK+yYyJ1u1FopL+QwhMiVu3KfRUDTr138Tb0hahzHQ0rD4j0otcodQNyhkTOBURe H52GCIaCC82/AJvqG8uoKZeRfLpu6Em7lRnjYySyECQ2mm+ziPG9DQUaWdHq0krfvkby J9Q6d4VrQDCY0/GJZUczWPvPZFnIYi78IHVlIFp4UxjQ0vdiHDMRR/90+L2HUYfWemTq 83Hftb/qCCw+5ArulvcGvwXS/sg+ctbVgq2B2TmL8OaM06EKZ89MFAL3hbVswZahMMiw xZ1w== X-Gm-Message-State: ALoCoQntUjPCNFe3PhJ00PbT20ZTIneedDNnmHgyjCLlyHC6r2o1wEWDKM2hfJPmN5IMOlMcc3oQ X-Received: by 10.224.51.132 with SMTP id d4mr10821621qag.94.1415307541598; Thu, 06 Nov 2014 12:59:01 -0800 (PST) Received: from flea (c-98-229-61-72.hsd1.ma.comcast.net. [98.229.61.72]) by mx.google.com with ESMTPSA id a97sm6798908qge.13.2014.11.06.12.59.00 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 06 Nov 2014 12:59:00 -0800 (PST) From: Ted Zlatanov To: Daniel Colascione Subject: Re: bug#18967: Tramp disables important SSH security features Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Thu, 06 Nov 2014 15:59:18 -0500 In-Reply-To: <545BA8B0.8060107@dancol.org> (Daniel Colascione's message of "Thu, 06 Nov 2014 16:58:24 +0000") Message-ID: <87tx2cxcyh.fsf@lifelogs.com> User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Thu, 06 Nov 2014 16:58:24 +0000 Daniel Colascione wrote: DC> On 11/06/2014 12:05 PM, Ted Zlatanov wrote: >> On Thu, 06 Nov 2014 00:47:40 +0000 Daniel Colascione wrote: >> DC> Tramp disables SSH host key checks by setting DC> GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and DC> StrictHostKeyChecking=no in its default method configuration. These DC> settings allow attackers to intercept connections to remote hosts, sniff DC> passwords, and cause other mischief. I don't think we should ship an DC> insecure configuration. >> >> I think the alternatives are something like what Ansible does: >> http://www.ansible.com/blog/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5 >> or a SSH client library as a FFI. >> SSH, when called externally, has many failure modes without those >> options. DC> So let it fail. You can discuss that with the users and the maintainers and Michael Albinus. I was certainly not recommending a course of action. DC> Since when is it okay to trade diminished security for improved DC> reliability? Happiness comes from within? Ted From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 06 18:39:53 2014 Received: (at 18967) by debbugs.gnu.org; 6 Nov 2014 23:39:53 +0000 Received: from localhost ([127.0.0.1]:52258 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmWee-0008Be-TG for submit@debbugs.gnu.org; Thu, 06 Nov 2014 18:39:53 -0500 Received: from chene.dit.umontreal.ca ([132.204.246.20]:48250) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmWed-0008BX-HD for 18967@debbugs.gnu.org; Thu, 06 Nov 2014 18:39:51 -0500 Received: from ceviche.home (lechon.iro.umontreal.ca [132.204.27.242]) by chene.dit.umontreal.ca (8.14.1/8.14.1) with ESMTP id sA6Ndntp003976; Thu, 6 Nov 2014 18:39:49 -0500 Received: by ceviche.home (Postfix, from userid 20848) id 2D91466125; Thu, 6 Nov 2014 18:39:49 -0500 (EST) From: Stefan Monnier To: Daniel Colascione Subject: Re: bug#18967: Tramp disables important SSH security features Message-ID: References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> Date: Thu, 06 Nov 2014 18:39:49 -0500 In-Reply-To: <545BA8B0.8060107@dancol.org> (Daniel Colascione's message of "Thu, 06 Nov 2014 16:58:24 +0000") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-NAI-Spam-Flag: NO X-NAI-Spam-Level: X-NAI-Spam-Threshold: 5 X-NAI-Spam-Score: 0.2 X-NAI-Spam-Rules: 2 Rules triggered GEN_SPAM_FEATRE=0.2, RV5117=0 X-NAI-Spam-Version: 2.3.0.9393 : core <5117> : inlines <1499> : streams <1337194> : uri <1833035> X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 18967 Cc: Ted Zlatanov , 18967@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.9 (-) > So let it fail. Agreed. But I think the difficulty is in making Tramp fail cleanly (as opposed to hang, for example). Stefan "who has similar issues with the connection-sharing defaults" From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 07 02:56:08 2014 Received: (at 18967) by debbugs.gnu.org; 7 Nov 2014 07:56:08 +0000 Received: from localhost ([127.0.0.1]:52347 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmeOu-0003eS-8R for submit@debbugs.gnu.org; Fri, 07 Nov 2014 02:56:08 -0500 Received: from mout.gmx.net ([212.227.15.19]:61107) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XmeOr-0003eJ-Ei for 18967@debbugs.gnu.org; Fri, 07 Nov 2014 02:56:06 -0500 Received: from detlef.gmx.de ([87.146.56.248]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MYwVv-1Xa9Yn0Qvz-00Vcyu; Fri, 07 Nov 2014 08:56:02 +0100 From: Michael Albinus To: Stefan Monnier Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> Date: Fri, 07 Nov 2014 08:56:00 +0100 In-Reply-To: (Stefan Monnier's message of "Thu, 06 Nov 2014 18:39:49 -0500") Message-ID: <87wq77igvj.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K0:MmK4+NBjp9CQa3gpqU0cXaeT0ayW0mFuv0vf0y5w+N22USVCSrg NjcPn9Qouq68FN/t67YXcGE5ig7hlvqhAiDvfH7VkA3LojAaeET/46ct5GmLT3Hf6bCvF0u ZVGjk1LuVO+0Y0UW56OKd1+nv4pOGQMmsR0N0WLqIbU7+T+QhWwVdQ6RFKXbB9JeJEhZPVB IBpxI3SkRmgqbr3yxj55w== X-UI-Out-Filterresults: notjunk:1; X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 18967 Cc: Ted Zlatanov , Daniel Colascione , 18967@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Stefan Monnier writes: >> So let it fail. > > Agreed. But I think the difficulty is in making Tramp fail cleanly > (as opposed to hang, for example). Indeed, and this was the reason for the current settings. I will recheck whether we could do it differently; but do not expect results in a day or two. There are several bug reports about Tramp I'm faced with, and due to local restrictions my progress is slow. > Stefan "who has similar issues with the connection-sharing defaults" Yes, that might be revisited as well. Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 12 20:12:52 2016 Received: (at 18967) by debbugs.gnu.org; 13 Dec 2016 01:12:52 +0000 Received: from localhost ([127.0.0.1]:39838 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGbeF-0000bM-S3 for submit@debbugs.gnu.org; Mon, 12 Dec 2016 20:12:51 -0500 Received: from eggs.gnu.org ([208.118.235.92]:53128) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGbeE-0000b9-Fd for 18967@debbugs.gnu.org; Mon, 12 Dec 2016 20:12:50 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cGbe8-0007MT-Oh for 18967@debbugs.gnu.org; Mon, 12 Dec 2016 20:12:45 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:37420) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cGbe4-0007Lx-QY; Mon, 12 Dec 2016 20:12:40 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1cGbe4-0007jU-28; Mon, 12 Dec 2016 20:12:40 -0500 From: Glenn Morris To: Michael Albinus Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> X-Spook: Incident IDEA Bomb squad Mafia Air Marshal Guzman Airport X-Ran: `;c?6tRf';399mo]8!r-opzQfu`G4cr}3xjx}'k (Michael Albinus's message of "Fri, 07 Nov 2014 08:56:00 +0100") Message-ID: <871sxcbpiw.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -8.1 (--------) X-Debbugs-Envelope-To: 18967 Cc: Ted Zlatanov , 18967@debbugs.gnu.org, Daniel Colascione , Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -8.1 (--------) Hi Michael - is there any update on this issue? From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 13 03:36:35 2016 Received: (at 18967) by debbugs.gnu.org; 13 Dec 2016 08:36:35 +0000 Received: from localhost ([127.0.0.1]:40069 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGiZf-0004H6-FJ for submit@debbugs.gnu.org; Tue, 13 Dec 2016 03:36:35 -0500 Received: from mout.gmx.net ([212.227.17.22]:58083) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGiZe-0004Gt-CI for 18967@debbugs.gnu.org; Tue, 13 Dec 2016 03:36:34 -0500 Received: from detlef.gmx.de ([93.209.72.191]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0LabZr-1cuQh10Lkt-00mJwK; Tue, 13 Dec 2016 09:36:12 +0100 From: Michael Albinus To: Glenn Morris Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> <871sxcbpiw.fsf@fencepost.gnu.org> Date: Tue, 13 Dec 2016 09:36:06 +0100 In-Reply-To: <871sxcbpiw.fsf@fencepost.gnu.org> (Glenn Morris's message of "Mon, 12 Dec 2016 20:12:39 -0500") Message-ID: <8737hs5iq1.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K0:o0Zhm2cpTwzLOzq4qiKCYRx5SlvpKVcUE9vJO0nvQ8Ukcl0/SVk U6G+DBePT1JPuBL/wWJxvm0aG5JcPeazxeeEf23uCJvy6bWUWEZZ7P/hQzp46snSQL/RNfD /gkvQyL6sDUSCKh/iHZIYbZWZAIw19r7wMHUQYI/8nh+MpGp5Q2lzx3aNuV+aAFFNEpMROO xRDaVwi6moaWi7nl4Z6tg== X-UI-Out-Filterresults: notjunk:1;V01:K0:VAe9RsZkK5g=:CLc0rSphr8CeHdalBIK/KZ m/h17IM9gZFGXFGKli+CZZQdt41U2ChkcuAuBU1szQnitJLkH5TtXkBYnWJKXSMjLziMm0oTJ KatUqfvAy4wvMgbsR35BqFHWRVMpnNEJNj4orfMHbYS6LB5kAGjMwafTQTxD6LxbvvybqWM0q RjplZX+QD5px+KK9RRHC12n0hrFLLw/NFdaZ3exMYBKSoqtockUhXdW+3N5G8T0Ggi82OS/ys M36CT2IYiracqIagEjuWfHiyyZHVP33nGloBvLecjukRYIpUDgE9o7zXFcjPYJ3rKFLWgG26l EPbUlfCNDHvQyrdUBDQsnbpgrRDpikLqns0NHo8exSlP+Yq9DR3VNGMgFvlxLwsaNX+idUjA0 UywKfGvIEnYz2d7PATtSmNdTRdXquCtqFFNCAGlgFI4123nKpt44NgqCUh8VxaY81uj/X9CeY dzzDqrShs+w6FeeG1xZUvnpCReStiuTcBxZWMY8ItPAaPjsPbBDyK6Agk5MbijWdVgSFMBw9Y EqQupM6BkwIEdvrO/425GBOTpbpGQQcxrGCKR9sZQ+Ru6lLIE55O+pGN1gHUlguqhF+LqNAid C3Po/uP9ysqLpysytvikOywx7lg4XLXeyOH5e2YfKy/ntWGlPZyMIH6XepE/lKssLV4ZWMrJR Z01UV9PKCyJbhF53kficwRJMLz5HOFVpOjhbbbDt9x2DCWz57vaMrRLpln1hx1HcqJw1lWbI9 uLH6/IEO9MM+35JmLD4wLa1aM+yfs4ZExv1a6WqrYM7k9v4dcwoudU7dElpMpGB9nFZKA0o5Y u8EBsC7 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org, Daniel Colascione , Ted Zlatanov , Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Glenn Morris writes: > Hi Michael - is there any update on this issue? Hi Glenn, no update, I've stalled this issue. And I'm still undecided how to change it w/o damaging Tramp functionality. Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 13 15:04:58 2016 Received: (at 18967) by debbugs.gnu.org; 13 Dec 2016 20:04:58 +0000 Received: from localhost ([127.0.0.1]:41065 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGtJp-00078A-TD for submit@debbugs.gnu.org; Tue, 13 Dec 2016 15:04:58 -0500 Received: from eggs.gnu.org ([208.118.235.92]:44590) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cGtJn-00077y-Sk for 18967@debbugs.gnu.org; Tue, 13 Dec 2016 15:04:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cGtJh-0000D8-Np for 18967@debbugs.gnu.org; Tue, 13 Dec 2016 15:04:50 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_05,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:50378) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cGtJe-0000CM-Ln; Tue, 13 Dec 2016 15:04:46 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1cGtJd-0004GH-Tm; Tue, 13 Dec 2016 15:04:46 -0500 From: Glenn Morris To: Michael Albinus Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> <871sxcbpiw.fsf@fencepost.gnu.org> <8737hs5iq1.fsf@gmx.de> X-Spook: Burst condor Bletchley Park 22nd SAS Nerve agent Mysql X-Ran: %1(U\o&pAkIgzX8eryi_}KN4[RhPmNUq5[LmA,Pu!;*U8Ds5wUUT8GN(F~:DbV>tw~+c3H X-Hue: white X-Debbugs-No-Ack: yes X-Attribution: GM Date: Tue, 13 Dec 2016 15:04:45 -0500 In-Reply-To: <8737hs5iq1.fsf@gmx.de> (Michael Albinus's message of "Tue, 13 Dec 2016 09:36:06 +0100") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -8.1 (--------) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org, Daniel Colascione , Ted Zlatanov , Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -8.1 (--------) How about ssh -o BatchMode=yes ? IIUC, this causes ssh to fail with an error, instead of eg asking "Are you sure you want to continue connecting" and waiting forever. (But it also seems to me that it is not Tramp's job to work around difficulties a user might be having with SSH, and that eg an occasional hang is preferable to changing things to be less secure that SSH's default). From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 18 03:51:47 2016 Received: (at 18967) by debbugs.gnu.org; 18 Dec 2016 08:51:48 +0000 Received: from localhost ([127.0.0.1]:45442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cIXC7-0002Ep-PB for submit@debbugs.gnu.org; Sun, 18 Dec 2016 03:51:47 -0500 Received: from mout.gmx.net ([212.227.17.22]:60648) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cIXC6-0002EY-2D for 18967@debbugs.gnu.org; Sun, 18 Dec 2016 03:51:46 -0500 Received: from detlef.gmx.de ([93.197.215.59]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M8axL-1cVXnm2wvj-00wEVw; Sun, 18 Dec 2016 09:51:21 +0100 From: Michael Albinus To: Glenn Morris Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> <871sxcbpiw.fsf@fencepost.gnu.org> <8737hs5iq1.fsf@gmx.de> Date: Sun, 18 Dec 2016 09:51:18 +0100 In-Reply-To: (Glenn Morris's message of "Tue, 13 Dec 2016 15:04:45 -0500") Message-ID: <878trdy60p.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K0:/RZybpRa8Fj0A4K+d3AsENlIv7N6aiCYIPj0BLwHWRvg3+IzgQr DfnbLWqO8Mc4wQlpDUVVM1dzU//hr3s/6xU5ZSZQ/I2HufNdaWoRhO/4SlWF/twoIC9B/2z 0kBo1YsWxOsrClWQ/rz0FOQImwjo040fcAXpm/Wb0xDt8FNo5uq/8zaR6qI3GlGoRIjuHDu tRIOsggoLlXHfbl5ntRuA== X-UI-Out-Filterresults: notjunk:1;V01:K0:+YWc659yRzI=:fdqWNTmJVyIFVYty2RpMlr j0zZ8NS9U2i0yXoojePq4FE+wE1dXS6LGj07hk+KLCnnNhOg8Mt0rXWPH1JFT+lyW9osLl68i jTbHiQWl08qbpLPHkZrOvSe6oXzvfjn8Rzj921HXSYdbmy/MQGXYQubXEV6j6HGRXSA2yTrgn zH6Rgjm5z82rDPHd3FdJCohl+XiquC+GXXp7EawlEJ8E3VAKYYf28Q+npchqXhHlMPP94vNxn vYbQgTPYQqPk8HYA24BWJuW0KNuvhycX8qiKQCSZYOgwdD63zRu4+hpYeXqhn4LU9BKlvbE86 32QMfakrLJPSVU44jr56UaVWjOchAI6OpN73po+mkbF0bVtYqWmcB/2j10LPC+D1dh+ZurKJX j5EKeISpOp+eNk21mjbNSAjFftN3xbKaPubYfn7Iq0KYQMtoWwmTjdzMz28X9Pbl3RGF2Ynfn FBG7RnIwKg+rqSsSXDSQzNAfBYS9WOdhtno0Ceq435WDiYi4K2LYLeKUYKtn3V87bJd1/rDZX hywih6t4YjD+omctS+rGMLbrCJwajpG30vMet77bGc4Wm9E70NiRSXR9ey6KbPU8rQLIaJLpI fYyLymqPGYOy30mgBmSl9A9fGsPCRgUny5us3OtQ/i9QMPfabTNWPVK9KWzZhLVezuMwrdJfI Mj4IIjDdX0CEFXvV2N8l+rrTGrVwXce7kYLee2kdrgroAWtHotEcPw1GLae4t7YzjL5T8F4RZ eBMlSGAIAwNk2G+YmZXKZIZimlv4ZqiaDAHw0dIYD5l39Ph1aS21obnIwA4Kmaas4nloUA9PJ 7Qg4fcZ X-Spam-Score: -0.2 (/) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org, Daniel Colascione , Ted Zlatanov , Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) Glenn Morris writes: > How about > > ssh -o BatchMode=yes No, Batchmode suppresses the password dialogue. Not applicable. And looking at the code I really don't see what can be done. Note, that GlobalKnownHostsFile, UserKnownHostsFile and StrictHostKeyChecking are not disabled by default. They are disabled only in case a so-called gateway is used, like "/tunnel:proxyhost#3128|ssh:remotehost:/path/to/file". Tramp will created a temporary httpd tunnel then, with a random port number on the localhost, like localhost#12345. If you connect to remotehost as above, there will be a an internal ssh connection to localhost#12345, which is the tunnel through proxyhost. If you connect to another.remotehost afterwards, the same internal ssh target will be used. But remotehost and another.remotehost are different, and so are their host keys. That's why Tramp must be instructed to ignore the host keys in this very special case. See also (info "(tramp) Gateway methods") Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 19 12:02:22 2016 Received: (at 18967) by debbugs.gnu.org; 19 Dec 2016 17:02:22 +0000 Received: from localhost ([127.0.0.1]:47861 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cJ1KQ-0007ph-44 for submit@debbugs.gnu.org; Mon, 19 Dec 2016 12:02:22 -0500 Received: from eggs.gnu.org ([208.118.235.92]:46596) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cJ1KM-0007pQ-Q7 for 18967@debbugs.gnu.org; Mon, 19 Dec 2016 12:02:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cJ1KG-0002a9-Tn for 18967@debbugs.gnu.org; Mon, 19 Dec 2016 12:02:13 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46974) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cJ1K7-0002Vq-0p; Mon, 19 Dec 2016 12:02:03 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1cJ1K5-0007Yf-Kx; Mon, 19 Dec 2016 12:02:01 -0500 From: Glenn Morris To: Michael Albinus Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> <871sxcbpiw.fsf@fencepost.gnu.org> <8737hs5iq1.fsf@gmx.de> <878trdy60p.fsf@gmx.de> X-Spook: Domestic nuclear detection kilderkin colonel Brush fire X-Ran: P2&l)mko,{1hEc=z[Q>T4tkUOTjio?-IQOs)7uZJ{8Is4-%P5+oiRTMhcx(3~EGV^d\C4l X-Hue: brightwhite X-Debbugs-No-Ack: yes X-Attribution: GM Date: Mon, 19 Dec 2016 12:02:01 -0500 In-Reply-To: <878trdy60p.fsf@gmx.de> (Michael Albinus's message of "Sun, 18 Dec 2016 09:51:18 +0100") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -8.1 (--------) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org, Daniel Colascione , Ted Zlatanov , Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -8.1 (--------) Thanks for explaining the issue. It sounds to me like closing this as wontfix would be appropriate. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 19 13:38:19 2016 Received: (at 18967) by debbugs.gnu.org; 19 Dec 2016 18:38:19 +0000 Received: from localhost ([127.0.0.1]:47930 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cJ2pH-0005Lk-9w for submit@debbugs.gnu.org; Mon, 19 Dec 2016 13:38:19 -0500 Received: from mout.gmx.net ([212.227.17.21]:64202) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cJ2pF-0005LR-46 for 18967@debbugs.gnu.org; Mon, 19 Dec 2016 13:38:18 -0500 Received: from detlef.gmx.de ([93.197.212.197]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MBZ9u-1cTSxI2vt0-00AVIj; Mon, 19 Dec 2016 19:37:54 +0100 From: Michael Albinus To: Glenn Morris Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> <871sxcbpiw.fsf@fencepost.gnu.org> <8737hs5iq1.fsf@gmx.de> <878trdy60p.fsf@gmx.de> Date: Mon, 19 Dec 2016 19:37:50 +0100 In-Reply-To: (Glenn Morris's message of "Mon, 19 Dec 2016 12:02:01 -0500") Message-ID: <87bmw7ojcx.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K0:cTfY/ElxAwqiKvZwa+4BD79pSo8z5CscOMLqPfKuTOUOTbqF6F5 cGRlSnpLJkzMKurzjG+DjowVQWMZtnAJIIp/cErs4SJ+f/Nv5DQRI9dtz7DIZW9Ms3i4hJD Gd52E8xS2fgS+Wi4cSIQbNCG7xmDcdip9nHkMLyt7xM95xXsAwrlJpCdyMH6mJSfHi5VFGA 4FYzw/7tyfISibK6UpVjQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:JtJA2r3Avwo=:vtTqqENtft3/vEOnjGVFoi KHTa/3h4jM5gph9xA+V0CwRtwyk9bZ1y5a/tXI6o+OoJoW5+Ba7bq24IVvlsZgIxV0ezSCaPO H+bH+Y1QZFZyOlhllvQ6dT28gBUqFtwQio5NzOMXV2sIiglJLVfwtftbmMajzP3/wfdxe9kI7 NBBOz/aAwT/6svBLEMlmHJAXsYoPLUZFDTlsQSkXMJ4kQmHe+gAZ5WZxLivJ0AbJwhF4r3tVI /K8c2hngQWT7bad/tlyWYMUeCJ+cYtGMBQHBJwrdiEP7tod9Igy9HqGO6ivzUBxum45vRqbJ9 UIodt0O3ev4QANhJvNG7mDNoJ79L1Z0NfM89HOeIwQYl9Cv5g3WDqlt0W8LO88ZcmwC+wB4B/ spwD9GiDpGz/nkoD3G9lJrTRSegjUEHVE+UpLiKf0gmLYMA4puGWVJ8zSmYyHuAMj9ore4JQL s0M2OHlmrguN48X48Olvvx0q4OVSAXVtoxRSexuxhOA4Q16BH/LRRDE+E1zue7um8i+QCV3Gh 1C3Q8P5aJ6zDv53hWbpH2i+hNw6ug5y1jaSNCAXCYUj83iRSfIG4MG7Tj49nt8j2jCLyg8diB LEGgT3sEYJaBxqz/jEu2Z9CCi0YoYDzLxgFHYs6m6ykEreT9Rwnq29qA/UeiKYBVZN0mDJwuQ KwuggxdIXNt84UOLN8M/2dtR7g1/VR8Rfe+FHt3euyvfvl8Lcdqs3ItRHLDjypKniVd5VlaQb f1BY2wI/G4er/p4/QFb6gdZO3cs46mqqy2+vdG4EuuwLK+ZQDWDuA91wNYxOVGgYLWduwXF3M cmRFAyb X-Spam-Score: -0.2 (/) X-Debbugs-Envelope-To: 18967 Cc: 18967@debbugs.gnu.org, Daniel Colascione , Ted Zlatanov , Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) Glenn Morris writes: Hi Glenn, > Thanks for explaining the issue. It sounds to me like closing this as > wontfix would be appropriate. Perhaps. I have some plans for a while to obsolete tramp-gw.el. When I wrote it back in 2007, it was the only possibility to have an own implementation of HTTP CONNECT tunneling. Meanwhile, putty supports HTTP CONNECT natively. And with ssh, one could use a ProxyCommand based on "nc -X connect ...". No need for Tramp to implement it itself anymore. This would perform much better than my implementation in tramp-gw.el. And this bug would disappear automatically. So let's keep this bug as reminder. And I will see, whether I could document these settings in the Tramp manual. There are some free days next two weeks, isn't it the Xmas break? Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 21 06:44:52 2016 Received: (at 18967-done) by debbugs.gnu.org; 21 Dec 2016 11:44:52 +0000 Received: from localhost ([127.0.0.1]:49714 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cJfKG-0006Xt-56 for submit@debbugs.gnu.org; Wed, 21 Dec 2016 06:44:52 -0500 Received: from mout.gmx.net ([212.227.15.19]:50105) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cJfKD-0006Xe-NP for 18967-done@debbugs.gnu.org; Wed, 21 Dec 2016 06:44:50 -0500 Received: from detlef.gmx.de ([93.197.211.49]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MLunc-1cEB8Q44D6-007iID; Wed, 21 Dec 2016 12:44:27 +0100 From: Michael Albinus To: Glenn Morris Subject: Re: bug#18967: Tramp disables important SSH security features References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> <871sxcbpiw.fsf@fencepost.gnu.org> <8737hs5iq1.fsf@gmx.de> <878trdy60p.fsf@gmx.de> <87bmw7ojcx.fsf@gmx.de> Date: Wed, 21 Dec 2016 12:44:23 +0100 In-Reply-To: <87bmw7ojcx.fsf@gmx.de> (Michael Albinus's message of "Mon, 19 Dec 2016 19:37:50 +0100") Message-ID: <87mvfpmrqg.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K0:mIiF5Oe8l1HCAlr21EhFJeD6a7iOmJVVvzxDsyB//VguO74x4li dHI+S148yrxGCkDHKHMSibtFurfy56+6CQaPVbZ7hjoK5aoLw3lOMj6Y4jGk0q5Mbillyv5 CN6X0w24LtThFdl/5ZPcXLrjevDdSgyHto3SdxFkglLBylNFEROjdX1767p+apbxpicZtm8 i5oJshOQbgGdeydcjV2NQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:/Q/sAvzQwYE=:0pdchw5Lfwhv7yxjH9371/ 6ZKZIYyeLF8XTajICJ5qOl9bkNwhKyffkPFhH8c27QxMKC8btJDG9NvGQw4RR98+5djRnsAgD UEJJ0bfn5w/Kl/i3HQ9/SgiGZb2ZEZOEkDZzCz0E8pvOfICA+3Q/1/YMNmMtpAl4WfL4tD8lo jjWmvck55PXAFn6hhchwe3yqmsSAaeWO1vhkBoKnf6TG+znJx7RhB3VJiw3Yb6W9BSe+dyuG4 C6l9fK6BA27x+TR7Hbnb1xT84TxOt9O1CLlkQrgwpyPNOx3LK/iQBHzANfIDDLIzJ6VUQ1vu5 gWLSyEvsFckX8mbxBwco0CVs6gvyVuSUWB9uVhbxoSb14q1aqldHxhXQPt40pzphhfLBYoWeb pQ8sCZl0PIQuX8llF7pqVcor7UOYL3avN5h8bWcCrnOob1n4bGNem4TzxgE+go2Z6jJHSwwHK 2eBDM8uGL6orieN4KNQrnSM3NIvXuVKqtV5dOGxDQB5QGpvubIrGMqmXkxcsRr85yQj9RWsQo Ya9WNLgynocqxTjyW/RUKIrC5PyA/4SII1fLIPhzlXwVG5g/edLbGIjYK5F+zk11ScvR6h7m8 3/WoVvx5aMy9qwemJk6o06aCRgHp8BUqKpCbHVWq1F1n81evE6UoSJPZGy1oeT18QjWVyKZds 5p7ovdpnOgqP0D/Er2q8T4EL0GfplHOyVBwBaFk2+PnbDdSZoTRVnVCC22fUrzo/NrYRtVtpH t9lBdi2YVapnFEe3tY3MjGBeVMvhUO19p8WFoKRwTV467Hxtii2FZIzFAwSKJmZSxBDoCEK8n 9nWJwJd X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 18967-done Cc: 18967-done@debbugs.gnu.org, Daniel Colascione , Ted Zlatanov , Stefan Monnier X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Version: 26.1 > I have some plans for a while to obsolete tramp-gw.el. When I wrote it > back in 2007, it was the only possibility to have an own implementation > of HTTP CONNECT tunneling. > > Meanwhile, putty supports HTTP CONNECT natively. And with ssh, one could > use a ProxyCommand based on "nc -X connect ...". No need for Tramp to > implement it itself anymore. > > This would perform much better than my implementation in > tramp-gw.el. And this bug would disappear automatically. > > So let's keep this bug as reminder. And I will see, whether I could > document these settings in the Tramp manual. There are some free days > next two weeks, isn't it the Xmas break? Done, closing the bug. Best regards, Michael. From unknown Fri Aug 15 12:49:00 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 18 Jan 2017 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator