insecure default SSH behavior when .ssh/known_hosts is missing

[bagder]

I did this

Such a situation causes as warning to get displayed but does not prevent the transfer to be attempted.

This was not considered a security vulnerability by the curl security team, but should be improved.

It should be noted that an SSH connection can still be verified without a known hosts file with the use of --hostpubsha256 or --hostpubmd5 (and their libcurl counterparts of course).

Reported-by: Harry Sintonen

I expected the following

If no file is there and no extra option is used, it should probably require --insecure to continue.

curl/libcurl version

master

operating system

any

[bagder]

If we make libcurl require SSH server verification by default, how do we signal that we want to switch off the check? The existing verifypeer option is only (used) for TLS...

Should we perhaps use a "magic" knownhosts file name such as "" for that?

[bagder]

As this is a rather large question with potential API/ABI effects, I took it to the libcurl mailing list as a first step.

[bagder]

Since #16205 the curl tool insists on either a knownhosts file or --insecure.