From: "Omar Polo" <op@omarpolo.com>
Subject: Re: gotwebd login hint ssh fingerprints
To: Stefan Sperling <stsp@stsp.name>
Cc: gameoftrees@openbsd.org
Date: Tue, 10 Feb 2026 12:02:32 +0100

Stefan Sperling <stsp@stsp.name> wrote:
> Allow SSH host key fingerprints to be declared in global config scope and
> in per-server config scope. The previously added per-repository setting
> added for clone URLs remains, but will by default inherit fingerprints from
> global or server scope which should save some copy-pasting in many cases.
> 
> Display per-server fingerprints on the login hint error page. This way,
> people using gotsh weblogin have something to compare the fingerprint
> presented by ssh to. To make this work nicely we have to move the login
> hint display logic to the templating mechanism, rather than rendering it
> as part of an error message. The error buffer might not be large enough
> and we cannot easily render a HTML list of items with it.
> 
> ok?

yes!  nice!  

> [...]
>  <div id="err_content">
>    {{ if t->error }}
> -    {{ t->error->msg }}
> +    {{ if t->error->code == GOT_ERR_LOGIN_HINT && login_hint_user }}
> +      Log in by running: 
> +      {{ if login_hint_port }}
> +	ssh -p {{ login_hint_port }} {{" "}} {{ login_hint_user }}@{{ srv->name }} {{" "}} "weblogin {{ srv->name }}"

just one nit, while we are here, can't we wrap this into <pre>?

> +	
> +      {{ else }}
> +	ssh {{ login_hint_user }}@{{ srv->name }} {{" "}} "weblogin {{ srv->name }}"

and this too

> +      {{ end }}
> +      {{ if srv->sshfp[GOTWEBD_SSHFP_ECDSA][0] != '\0' ||
> +          srv->sshfp[GOTWEBD_SSHFP_ED25519][0] != '\0' ||
> +          srv->sshfp[GOTWEBD_SSHFP_RSA][0] != '\0' }}

ok anyway op@