Page MenuHomeVyOS Platform

Provide an explicit option for server fingerprint in commit archive, and make insecure the default
Closed, ResolvedPublic


Commit archive over SSH is now a messy affair. As T1866 shows, it cannot handle non-standard ports. However, it also cannot handle non-RSA keys. With elliptic curves rapidly becoming the default, it's even worse.

Disabling fingerprint checking by default sounds sensible: how often do you see spoofing attacks in the wild? There are lots of safeguards against those in place, in every network.

The really messy part is that the script emulates a user, by interacting with ssh. See

It may be better to provide an explicit fingerprint option for those who are concerned about spoofing attacks.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)

Event Timeline

erkin set Issue type to Feature (new functionality).Aug 30 2021, 5:11 AM
erkin removed a subscriber: Active contributors.

The way it's done right now is like this:

  1. Load the system keys (and ~/.ssh/known_hosts if found), then check if the fingerprint is known. If so, quietly continue.
  2. If not, tell the user about it and ask if they want to continue still. If not, abort.
  3. If they do and we found the ~/.ssh/known_hosts in step 1, check if we can write to it. If not, continue.
  4. If so, ask the user if they want to save this new host to the known hosts file. If not, continue.
  5. If they do, record the new host and continue.