DOKK / manpages / debian 11 / libcurl4-doc / CURLOPT_SSH_KEYFUNCTION.3.en
CURLOPT_SSH_KEYFUNCTION(3) curl_easy_setopt options CURLOPT_SSH_KEYFUNCTION(3)

CURLOPT_SSH_KEYFUNCTION - callback for known host matching logic

#include <curl/curl.h>
enum curl_khstat {

CURLKHSTAT_FINE_ADD_TO_FILE,
CURLKHSTAT_FINE,
CURLKHSTAT_REJECT, /* reject the connection, return an error */
CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right
now so this causes a CURLE_DEFER error but
otherwise the connection will be left intact
etc */
CURLKHSTAT_FINE_REPLACE }; enum curl_khmatch {
CURLKHMATCH_OK, /* match */
CURLKHMATCH_MISMATCH, /* host found, key mismatch! */
CURLKHMATCH_MISSING, /* no matching host/key found */ }; struct curl_khkey {
const char *key; /* points to a null-terminated string encoded with
base64 if len is zero, otherwise to the "raw"
data */
size_t len;
enum curl_khtype keytype; }; int ssh_keycallback(CURL *easy,
const struct curl_khkey *knownkey,
const struct curl_khkey *foundkey,
enum curl_khmatch,
void *clientp); CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSH_KEYFUNCTION,
ssh_keycallback);

Pass a pointer to your callback function, which should match the prototype shown above.

It gets called when the known_host matching has been done, to allow the application to act and decide for libcurl how to proceed. The callback will only be called if CURLOPT_SSH_KNOWNHOSTS(3) is also set.

This callback function gets passed the CURL handle, the key from the known_hosts file knownkey, the key from the remote site foundkey, info from libcurl on the matching status and a custom pointer (set with CURLOPT_SSH_KEYDATA(3)). It MUST return one of the following return codes to tell libcurl how to act:

The new host+key is accepted and libcurl will replace the old host+key into the known_hosts file before continuing with the connection. This will also add the new host+key combo to the known_host pool kept in memory if it wasn't already present there. The adding of data to the file is done by completely replacing the file with a new copy, so the permissions of the file must allow this. (Added in 7.73.0)
The host+key is accepted and libcurl will append it to the known_hosts file before continuing with the connection. This will also add the host+key combo to the known_host pool kept in memory if it wasn't already present there. The adding of data to the file is done by completely replacing the file with a new copy, so the permissions of the file must allow this.
The host+key is accepted libcurl will continue with the connection. This will also add the host+key combo to the known_host pool kept in memory if it wasn't already present there.
The host+key is rejected. libcurl will deny the connection to continue and it will be closed.
The host+key is rejected, but the SSH connection is asked to be kept alive. This feature could be used when the app wants to somehow return back and act on the host+key situation and then retry without needing the overhead of setting it up from scratch again.

NULL

SFTP and SCP

static int keycb(CURL *easy,

const struct curl_khkey *knownkey,
const struct curl_khkey *foundkey,
enum curl_khmatch,
void *clientp) {
/* 'clientp' points to the callback_data struct */
/* investigate the situation and return the correct value */
return CURLKHSTAT_FINE_ADD_TO_FILE; } {
curl_easy_setopt(curl, CURLOPT_URL, "sftp://example.com/thisfile.txt");
curl_easy_setopt(curl, CURLOPT_SSH_KEYFUNCTION, keycb);
curl_easy_setopt(curl, CURLOPT_SSH_KEYDATA, &callback_data);
curl_easy_setopt(curl, CURLOPT_SSH_KNOWNHOSTS, "/home/user/known_hosts");
curl_easy_perform(curl); }

Added in 7.19.6

Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.

CURLOPT_SSH_KEYDATA(3), CURLOPT_SSH_KNOWNHOSTS(3),

November 4, 2020 libcurl 7.74.0