It was reported [1] that lftp saves unknown host's fingerprint in known_hosts without any prompt: Original report: From the src/SSH_Access.cc file: 47: const char *y="(yes/no)?"; 73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len)) 74: { 75: pty_recv_buf->Put("yes\n"); 76: pty_send_buf->Put("yes\n"); 77: return m; 78: } Not only does it make a particular SFTP file transfer insecure, but also any future connection via any SSH client. After enabling debug (the "yes" answer generated automatically): #v+ $ lftp sftp://mszewczyk@localhost:22203 Password: lftp mszewczyk@localhost:~> debug lftp mszewczyk@localhost:~> ls ---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp) ---> sending a packet, length=5, type=1(INIT), id=0 <--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established. <--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d. <--- Are you sure you want to continue connecting (yes/no)? yes <--- <--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts. #v- This was reported to upstream as well: https://github.com/lavv17/lftp/issues/116 [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774769
Created lftp tracking bugs for this issue: Affects: fedora-all [bug 1180214]
https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec
Steps to reproduce: $ lftp sftp://user@localhost lftp user@localhost:~> debug lftp user@localhost:~> ls (see comment 1)
lftp-4.5.4-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
lftp-4.5.4-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
lftp-4.6.1-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Upstream fix: https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec
This issue affects the versions of lftp as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.