Start a new topic
In Progress

Let SFTP connection use fingerprints stored in ~/.ssh/known_hosts

When using "connect using SFTP"(connect with options) to build an Ad hoc SFTP connection, no matter whether the fingerprint of the remote host is in ~/.ssh/known_hosts, Royal tsx alaways gives me a Certificate and Fingerprint Warning, which bothers me a bit.


So I suggest that make the SFTP connection use fingerprints stored in ~/.ssh/known_hosts just like the SSH connection, i.e. add the fingerprint to ~/.ssh/known_hosts when connecting to a new host and supress the Certificate and Fingerprint Warning when connecting to a known host whose fingerprint is already in ~/.ssh/known_hosts. In this way, Royal tsx will avoid giving useless warnings.


For me, I prefer using "connect using SFTP" to using a File Transfer object to build a SFTP connection. In contrast to the latter, the former can keep my navigation panel as concise as possible.


I sincerely hope that you will take my advice! Looking forward to your reply!


1 person likes this idea

That's something we'll definitely want to work on for the next major release.


1 person likes this

Hi there,


we're happy to announce that the first beta of Royal TSX 5.0 is now available and includes this feature!


You can get the beta here: https://royalapps.com/ts/mac/features-beta

Please let us know how it works for you!


cheers,

felix

Hello, it works for me! And I'm confused about your design.


I find a phenomenon: If I never connect a host via ssh (i.e. the fingerprint of the host is not in ~/.ssh/known_hosts), every time I use "connect using SFTP", I will still get the warning.


Then I find what happens: If I have ever connected to a host via ssh, then I use "connect using SFTP", the fingerprint will be changed from ecdsa-sha2-nistp256 type to ssh-rsa type. And the original ecdsa-sha2-nistp256 fingerprint will be saved to ~/.ssh/known_hosts.old. If I have not connected to a host via ssh yet, then I use "connect using SFTP", nothing will happen, which means I will still receive the warning when I use "connect using SFTP" next time.


Besides, if I create a SFTP connection object, and I use it (keep "lgnore Certificate and Fingerprint Warnings disable") . After I confirm the warning, I will not get the warning any more, and no new entries will be added to the ~/.ssh/known_hosts. I guess you save the fingerprint or make some settings in the object for created SFTP connection objects (because once I delete the object and I create the same one, I will get the warning again.)


I really don't understand why you design like this. To the best of my knowledge, general ssh and sftp use the same fingerprint in the ~/.ssh/known_hosts.


So I can only think that:

File Transfer plugin can use ssh-rsa type but can not use ecdsa-sha2-nistp256 type fingerprint. iTerm2 plugin can use both. If that's the case, I think design a connection fingerprint file only for all types of SFTP connections in Royal TSX may be better in contrast to changing ~/.ssh/known_hosts. For example, let ~/.ssh/known_hosts_for_SFTP_only:

(1) save fingerprints from "SFTP connection objects" and "connect using SFTP"

(2) get rid of the dependence on ~/.ssh/known_hosts, i.e. even if ~/.ssh/known_hosts doesn't exist, new fingerprints can be added to ~/.ssh/known_hosts_for_SFTP_only.


1 person likes this

I just found this discussion after creating a support ticket. I have the same issue, a 'connect with options > SFTP' session from an SSH connection overwrites the existing known_hosts key with ssh-dss in my case, causing subsequent ssh sessions to fail until the key is removed.


Sorry for the silence from our part.

We're aware of the issue and will look into it in one of the next V5 beta updates.


cheers,

felix

Hi Tan, Alex,


sorry for the delay!


The issue mentioned by the two of you should now be resolved in the latest Royal TSX and File Transfer beta versions.

Please update to the current releases and let us know if the bug is indeed fixed for you.


thx,

felix

Works for me now, thanks!


Another small change to consider for future. If I connect via SFTP before adding accepting the ecdsa key in a normal ssh session, I'm still prompted to accept the RSA key (although it's no longer added to the file).


Thx for getting back to me and great news, Alex!


The file transfer connection uses components built into Royal TSX to establish connections. The terminal connection however uses the system-supplied OpenSSH ssh binary.

So we have to different systems here with different defaults. The known_hosts integration we currently have aims to bridge at least the common case of having previously connected through the system-supplied SSH. It does not, however synchronize the defaults between the two systems.

If you'd like to change the order of host key algorithms for SFTP connections, you can do so in the "Security" properties of the connection (or in the file transfer default settings if you want the settings to apply to all newly created objects). That way you can ensure that whatever algorithms you prefer end up being given more priority.


Hope that helps!


cheers,

felix

I don't see any way to edit the default connection properties for file transfers. Whereabouts it the menu?

Default Settings are stored in the "Application" document's "Default Settings" folder.

Scroll way down in the navigation panel (sidebar) to locate the "Application" document. Then, find the "Default Settings" folder and expand it. Here you should see an entry for "File Transfer" which you can edit to modify the default settings for newly created file transfer connections.


Hope that helps!


cheers,

felix

Perfect, thanks!

You're welcome, Alex!


Going slightly off topic but you might also want to check out the bulk-edit feature if you haven't already: https://www.royalapps.com/go/kb-ts-mac-bulkedit


cheers,

felix

Login or Signup to post a comment