CURLOPT_SSH_*_KEYFILE: used for setting up, then no more

So changing them after the connection is made still allows libcurl to
reuse the existing connections.

Reported-by: Bigtang on hackerone
Closes #22211
This commit is contained in:
Daniel Stenberg 2026-06-29 08:05:16 +02:00
parent c9d8a6bc10
commit f3c11692a9
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
2 changed files with 11 additions and 2 deletions

View file

@ -33,8 +33,7 @@ used, libcurl defaults to **$HOME/.ssh/id_rsa** or **$HOME/.ssh/id_dsa** if
the HOME environment variable is set, and in the current directory if HOME is
not set.
If the file is password-protected, set the password with
CURLOPT_KEYPASSWD(3).
If the file is password-protected, set the password with CURLOPT_KEYPASSWD(3).
The SSH library derives the public key from this private key when possible. If
the SSH library cannot derive the public key from the private one and no
@ -44,6 +43,11 @@ fails.
The application does not have to keep the string around after setting this
option.
This option is used to set up a new connection only. The private key is used
when libcurl establishes a new SSH connection; once that connection has been
successfully set up and verified, it is deemed vetted and may be reused by
libcurl even if this option is changed.
# DEFAULT
As explained above

View file

@ -40,6 +40,11 @@ no public one is provided, the transfer fails.
The application does not have to keep the string around after setting this
option.
This option is used to set up a new connection only. The public key is used
when libcurl establishes a new SSH connection; once that connection has been
successfully set up and verified, it is deemed vetted and may be reused by
libcurl even if this option is changed.
# DEFAULT
NULL