diff options
| author | Jacob Nevins <jacobn@chiark.greenend.org.uk> | 2022-10-21 22:04:16 +0300 |
|---|---|---|
| committer | Jacob Nevins <jacobn@chiark.greenend.org.uk> | 2022-10-21 22:41:37 +0300 |
| commit | 5f3b743eb0ae136bf34e372b10d5bbdc1755f958 (patch) | |
| tree | 5405845a98cf926e62596924e6183afb3075538f | |
| parent | 344cde8dedb4c1e29ef889d4bdaf80d6702e3033 (diff) | |
Tweak certified-host-key prompt.
Add a specific reassurance that taking the add-to-cache action will not
cause the CA that signed the key to be trusted in any wider context.
| -rw-r--r-- | ssh/common.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ssh/common.c b/ssh/common.c index 161bebbd..a1b4d77d 100644 --- a/ssh/common.c +++ b/ssh/common.c @@ -1037,6 +1037,12 @@ SeatPromptResult verify_ssh_host_key( text, SDT_PARA, "If you were expecting this change and trust the " "new key, %s to update %s's cache and carry on connecting.", pds->hk_accept_action, appname); + if (key && ssh_key_alg(key)->is_certificate) { + seat_dialog_text_append( + text, SDT_PARA, "(Storing this certified key in the cache " + "will NOT cause its certification authority to be trusted " + "for any other key or host.)"); + } seat_dialog_text_append( text, SDT_PARA, "If you want to carry on connecting but without " "updating the cache, %s.", pds->hk_connect_once_action); |