On Monday 16 May 2005 08:42 pm, Maurice Butler (Like Magic) wrote:
> Hi,
>
> has this been dealt too,
>
> Maurice
>
> SSH HOLE PUTTING BIG BUSINESS AT RISK
>
> known_hosts file could tell a worm where to travel next
>
> http://s0.tx.co.nz/at/tep34i74214a4j37267s4c1682099t9f2n841263z
As Mike so succinctly points out, it *is* a feature, and a very important one.
*However*
SSH version 4 and higher contain an option to hash the known_hosts database.
Here's what the ssh config documentation has to say about this:
HashKnownHosts
Indicates that ssh should hash host names and addresses when they
are added to $HOME/.ssh/known_hosts. These hashed names may be
used normally by ssh and sshd, but they do not reveal identifying
information should the file's contents be disclosed. The default
is ``no''. Note that hashing of names and addresses will not be
retrospectively applied to existing known hosts files, but these
may be manually hashed using ssh-keygen(1).
So, when you get a moment, I'd search Gentoo's bugzilla and put in a bug if
one doesn't already exist suggesting that the default Gentoo configuration of
openssh should hash the known hosts file.
Regards,
- Brian
--
gentoo-security@gentoo.org mailing list
> Hi,
>
> has this been dealt too,
>
> Maurice
>
> SSH HOLE PUTTING BIG BUSINESS AT RISK
>
> known_hosts file could tell a worm where to travel next
>
> http://s0.tx.co.nz/at/tep34i74214a4j37267s4c1682099t9f2n841263z
As Mike so succinctly points out, it *is* a feature, and a very important one.
*However*
SSH version 4 and higher contain an option to hash the known_hosts database.
Here's what the ssh config documentation has to say about this:
HashKnownHosts
Indicates that ssh should hash host names and addresses when they
are added to $HOME/.ssh/known_hosts. These hashed names may be
used normally by ssh and sshd, but they do not reveal identifying
information should the file's contents be disclosed. The default
is ``no''. Note that hashing of names and addresses will not be
retrospectively applied to existing known hosts files, but these
may be manually hashed using ssh-keygen(1).
So, when you get a moment, I'd search Gentoo's bugzilla and put in a bug if
one doesn't already exist suggesting that the default Gentoo configuration of
openssh should hash the known hosts file.
Regards,
- Brian
--
gentoo-security@gentoo.org mailing list