Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
Re: ssh - upgrade to v4 - hash known_hosts file
brian at braverock
May 17, 2005, 5:44 AM
Post #1 of 5 (6543 views)
Permalink
On Monday 16 May 2005 08:42 pm, Maurice Butler (Like Magic) wrote:
> Hi,
>
> has this been dealt too,
>
> Maurice
>
> SSH HOLE PUTTING BIG BUSINESS AT RISK
>
> known_hosts file could tell a worm where to travel next
>
> http://s0.tx.co.nz/at/tep34i74214a4j37267s4c1682099t9f2n841263z

As Mike so succinctly points out, it *is* a feature, and a very important one.

*However*
SSH version 4 and higher contain an option to hash the known_hosts database.
Here's what the ssh config documentation has to say about this:

HashKnownHosts
Indicates that ssh should hash host names and addresses when they
are added to $HOME/.ssh/known_hosts. These hashed names may be
used normally by ssh and sshd, but they do not reveal identifying
information should the file's contents be disclosed. The default
is ``no''. Note that hashing of names and addresses will not be
retrospectively applied to existing known hosts files, but these
may be manually hashed using ssh-keygen(1).

So, when you get a moment, I'd search Gentoo's bugzilla and put in a bug if
one doesn't already exist suggesting that the default Gentoo configuration of
openssh should hash the known hosts file.

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list
Re: ssh - upgrade to v4 - hash known_hosts file [ In reply to ]
brian at braverock
May 17, 2005, 6:35 AM
Post #2 of 5 (6347 views)
Permalink
On Tuesday 17 May 2005 07:44 am, Brian G. Peterson wrote:
> On Monday 16 May 2005 08:42 pm, Maurice Butler (Like Magic) wrote:
> > SSH HOLE PUTTING BIG BUSINESS AT RISK
> >
> > known_hosts file could tell a worm where to travel next
> >
> > http://s0.tx.co.nz/at/tep34i74214a4j37267s4c1682099t9f2n841263z
>
> As Mike so succinctly points out, it *is* a feature, and a very important
> one.
>
> *However*
> SSH version 4 and higher contain an option to hash the known_hosts
> database. Here's what the ssh config documentation has to say about this:
>
> HashKnownHosts
> Indicates that ssh should hash host names and addresses when
> they are added to $HOME/.ssh/known_hosts. These hashed names may be used
> normally by ssh and sshd, but they do not reveal identifying information
> should the file's contents be disclosed. The default is ``no''. Note that
> hashing of names and addresses will not be retrospectively applied to
> existing known hosts files, but these may be manually hashed using
> ssh-keygen(1).
>
> So, when you get a moment, I'd search Gentoo's bugzilla and put in a bug if
> one doesn't already exist suggesting that the default Gentoo configuration
> of openssh should hash the known hosts file.

I've done it for you:

http://bugs.gentoo.org/show_bug.cgi?id=92913

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list
Re: ssh - upgrade to v4 - hash known_hosts file [ In reply to ]
jalst114 at cs
May 17, 2005, 9:42 AM
Post #3 of 5 (6332 views)
Permalink
>> *However*
>> SSH version 4 and higher contain an option to hash the known_hosts
>> database. Here's what the ssh config documentation has to say about
>> this:

I, for one, have frequently had to edit known_hosts manually.
Experimental box dies, you reformat, new keys are generated, and then
ssh flips its lid, which _is_ a feature. But, then I have to remove
the offending line, and if the hostnames are hashed how am I to do
that?


james

--
gentoo-security@gentoo.org mailing list
Re: ssh - upgrade to v4 - hash known_hosts file [ In reply to ]
antoine at nagafix
May 17, 2005, 12:42 PM
Post #4 of 5 (6352 views)
Permalink
On Tue, 2005-05-17 at 12:42 -0400, James Larkby-Lahet wrote:
> >> *However*
> >> SSH version 4 and higher contain an option to hash the known_hosts
> >> database. Here's what the ssh config documentation has to say about
> >> this:
>
> I, for one, have frequently had to edit known_hosts manually.
> Experimental box dies, you reformat, new keys are generated, and then
> ssh flips its lid, which _is_ a feature. But, then I have to remove
> the offending line, and if the hostnames are hashed how am I to do
> that?
ssh tells you on which line the offending key is, that's how I delete
them - it is easier than looking for the hostname.

Antoine

--
gentoo-security@gentoo.org mailing list
Re: ssh - upgrade to v4 - hash known_hosts file [ In reply to ]
tps at vr-web
Jun 17, 2008, 1:46 AM
Post #5 of 5 (6348 views)
Permalink
antoine schrieb:
> On Tue, 2005-05-17 at 12:42 -0400, James Larkby-Lahet wrote:
>> >> *However*
>> >> SSH version 4 and higher contain an option to hash the known_hosts
>> >> database. Here's what the ssh config documentation has to say about
>> >> this:
>>
>> I, for one, have frequently had to edit known_hosts manually.
>> Experimental box dies, you reformat, new keys are generated, and then
>> ssh flips its lid, which _is_ a feature. But, then I have to remove
>> the offending line, and if the hostnames are hashed how am I to do
>> that?
> ssh tells you on which line the offending key is, that's how I delete
> them - it is easier than looking for the hostname.

Yes, but what about having various lines refering all to the same host?
There is no way to have it done fast, once, by deleting *all* refering
lines, since there is no way to find out what other lines match this
particular host. Such scenario is common in dhcp environments where you
are connecting to hosts changing their IP with the next boot.

--
Thomas

--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal