From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.bugs Subject: bug#18967: Tramp disables important SSH security features Date: Sun, 18 Dec 2016 09:51:18 +0100 Message-ID: <878trdy60p.fsf@gmx.de> References: <545AC52C.1090807@dancol.org> <874muczg8b.fsf@lifelogs.com> <545BA8B0.8060107@dancol.org> <87wq77igvj.fsf@gmx.de> <871sxcbpiw.fsf@fencepost.gnu.org> <8737hs5iq1.fsf@gmx.de> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1482051134 27253 195.159.176.226 (18 Dec 2016 08:52:14 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 18 Dec 2016 08:52:14 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) Cc: 18967@debbugs.gnu.org, Ted Zlatanov , Stefan Monnier To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Dec 18 09:52:09 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cIXCR-0006CX-QQ for geb-bug-gnu-emacs@m.gmane.org; Sun, 18 Dec 2016 09:52:07 +0100 Original-Received: from localhost ([::1]:39624 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cIXCW-00078N-6r for geb-bug-gnu-emacs@m.gmane.org; Sun, 18 Dec 2016 03:52:12 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38774) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cIXCQ-000785-Be for bug-gnu-emacs@gnu.org; Sun, 18 Dec 2016 03:52:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cIXCN-0006Rk-B4 for bug-gnu-emacs@gnu.org; Sun, 18 Dec 2016 03:52:06 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:58276) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cIXCN-0006RH-8C for bug-gnu-emacs@gnu.org; Sun, 18 Dec 2016 03:52:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1cIXCM-0002FL-GH for bug-gnu-emacs@gnu.org; Sun, 18 Dec 2016 03:52:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Michael Albinus Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 18 Dec 2016 08:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 18967 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 18967-submit@debbugs.gnu.org id=B18967.14820511088611 (code B ref 18967); Sun, 18 Dec 2016 08:52:02 +0000 Original-Received: (at 18967) by debbugs.gnu.org; 18 Dec 2016 08:51:48 +0000 Original-Received: from localhost ([127.0.0.1]:45442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cIXC7-0002Ep-PB for submit@debbugs.gnu.org; Sun, 18 Dec 2016 03:51:47 -0500 Original-Received: from mout.gmx.net ([212.227.17.22]:60648) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cIXC6-0002EY-2D for 18967@debbugs.gnu.org; Sun, 18 Dec 2016 03:51:46 -0500 Original-Received: from detlef.gmx.de ([93.197.215.59]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M8axL-1cVXnm2wvj-00wEVw; Sun, 18 Dec 2016 09:51:21 +0100 In-Reply-To: (Glenn Morris's message of "Tue, 13 Dec 2016 15:04:45 -0500") X-Provags-ID: V03:K0:/RZybpRa8Fj0A4K+d3AsENlIv7N6aiCYIPj0BLwHWRvg3+IzgQr DfnbLWqO8Mc4wQlpDUVVM1dzU//hr3s/6xU5ZSZQ/I2HufNdaWoRhO/4SlWF/twoIC9B/2z 0kBo1YsWxOsrClWQ/rz0FOQImwjo040fcAXpm/Wb0xDt8FNo5uq/8zaR6qI3GlGoRIjuHDu tRIOsggoLlXHfbl5ntRuA== X-UI-Out-Filterresults: notjunk:1;V01:K0:+YWc659yRzI=:fdqWNTmJVyIFVYty2RpMlr j0zZ8NS9U2i0yXoojePq4FE+wE1dXS6LGj07hk+KLCnnNhOg8Mt0rXWPH1JFT+lyW9osLl68i jTbHiQWl08qbpLPHkZrOvSe6oXzvfjn8Rzj921HXSYdbmy/MQGXYQubXEV6j6HGRXSA2yTrgn zH6Rgjm5z82rDPHd3FdJCohl+XiquC+GXXp7EawlEJ8E3VAKYYf28Q+npchqXhHlMPP94vNxn vYbQgTPYQqPk8HYA24BWJuW0KNuvhycX8qiKQCSZYOgwdD63zRu4+hpYeXqhn4LU9BKlvbE86 32QMfakrLJPSVU44jr56UaVWjOchAI6OpN73po+mkbF0bVtYqWmcB/2j10LPC+D1dh+ZurKJX j5EKeISpOp+eNk21mjbNSAjFftN3xbKaPubYfn7Iq0KYQMtoWwmTjdzMz28X9Pbl3RGF2Ynfn FBG7RnIwKg+rqSsSXDSQzNAfBYS9WOdhtno0Ceq435WDiYi4K2LYLeKUYKtn3V87bJd1/rDZX hywih6t4YjD+omctS+rGMLbrCJwajpG30vMet77bGc4Wm9E70NiRSXR9ey6KbPU8rQLIaJLpI fYyLymqPGYOy30mgBmSl9A9fGsPCRgUny5us3OtQ/i9QMPfabTNWPVK9KWzZhLVezuMwrdJfI Mj4IIjDdX0CEFXvV2N8l+rrTGrVwXce7kYLee2kdrgroAWtHotEcPw1GLae4t7YzjL5T8F4RZ eBMlSGAIAwNk2G+YmZXKZIZimlv4ZqiaDAHw0dIYD5l39Ph1aS21obnIwA4Kmaas4nloUA9P X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:127121 Archived-At: Glenn Morris writes: > How about > > ssh -o BatchMode=yes No, Batchmode suppresses the password dialogue. Not applicable. And looking at the code I really don't see what can be done. Note, that GlobalKnownHostsFile, UserKnownHostsFile and StrictHostKeyChecking are not disabled by default. They are disabled only in case a so-called gateway is used, like "/tunnel:proxyhost#3128|ssh:remotehost:/path/to/file". Tramp will created a temporary httpd tunnel then, with a random port number on the localhost, like localhost#12345. If you connect to remotehost as above, there will be a an internal ssh connection to localhost#12345, which is the tunnel through proxyhost. If you connect to another.remotehost afterwards, the same internal ssh target will be used. But remotehost and another.remotehost are different, and so are their host keys. That's why Tramp must be instructed to ignore the host keys in this very special case. See also (info "(tramp) Gateway methods") Best regards, Michael.