On Wed, 23 Dec 2015, Alon Bar-Lev wrote: > Hello, > > This hostkeys extension is great, reading[1]: > """ > OpenSSH supports a protocol extension allowing a server to inform a > client of all its protocol v.2 host keys after user-authentication has > completed. > """ > > I wonder, why should user authentication be completed before this > functionality is available? This means that ssh-keyscan tool (for > example) cannot take advantage of the functionality. It's done this way because the only extensible messages in the protocol are channel and global requests, which are only valid after the "ssh-connection" (channels) service has been requested. This only happens after userauth. It would be better to do it after key exchange and before user authentication, but it would also be less compatible with other implementations. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev