Re: SSH Option files using hashes instead of hostnames?



On Tue, 29 Jun 2010, Greg Wooledge wrote:

On Mon, Jun 28, 2010 at 09:32:06PM -0400, Dan Mahoney, System Admin wrote:
On Mon, 28 Jun 2010, Greg Wooledge wrote:
It doesn't make sense. The point of a hash (at least in this context)
is that you cannot reverse it to get the original data back.

The point of the hash is that if, someone has compromised my account (via
brute force, keyboard surfing, evil sysadmin, whatever, and whatever else
it contains (trusted keys, kerberos credentials, etc), they could look in
my known_hosts file and see what other hosts they could log into.

You're discussing what you desire as an outcome. That's great. It's
a perfectly reasonable thing to want.

The problem is that it's not possible.

# Server in guam is on overloaded DSL link
Host slowpoke
HostName slowpoke.secure.server.ad.company.com
ConnectTimeout 600
User admin

Hashes are one-way. You can turn data into a hash, but you can't turn
a hash back into data.

But compare this with

HostnameHash |1|JYh/HiqdBkaEKeg0KrS9cHncJRI=|Qc2hMsrOMpReJLyOxwmps3nnb0k=
ConnectTimeout 600
User admin

There is no way to translate the hash into the string
"slowpoke.secure.server.ad.company.com". If you had typed the string
"slowpoke.secure.server.ad.company.com" on the command line, then the
ssh client could hash it and compare that to what's in your options
file. But if you only typed "slowpoke" on the command line, then the
client can't even look up the canonical FQDN from that.

Agreed, perhaps I wasn't clear that this would assume the client typed the right thing on the command line.

And yet, ssh today will accept a non-fqdn today, even without a "hostname" entry in your config. DNS is Sexy. :)

There are two uses to the Host/Hostname thing in ssh.

First is to let you look up a machine that's not in DNS at all, sometimes with alternate credentials or whatnot. (i.e. an alias).

The other is if you need to trump your DNS search-list.

As I mentioned in my first request, this hash would have to be done after the client looked up the FQDN, and base it on that. Something resolvable would have to be specified on the command line.

I admit that this would not work in cases where you're using both host and hostname for the same host in your options file. I've always been a fan of specifying the correct thing on the command line, though, and mainly use this config for tunnels and port forwards, not for hostname-aliasing, which would work perfectly fine with this.

-Dan

--

"Don't think of it as beer, think of it as a flavored motor oil."

-Jeremiah Kristal, on Guinness
3/29/05, 9:52 AM

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------



Relevant Pages

  • Re: Socket - gaierror
    ... I suspect that the name of your client ... UNIX/Linux you can use the hostname command; ... e-mail via SMTP could need the local host name for at least two ... to resolve the odd-ball name that your system provides. ...
    (comp.lang.python)
  • Re: alsaconf and printing
    ... To test your ability to access the SMB-shared printer, ... can access on HOST. ... When I issue the above command from either the host machine that the ... some communication between client and host, so we can probably rule out ...
    (Debian-User)
  • Re: alsaconf and printing
    ... To test your ability to access the SMB-shared printer, run this command ... (You will be prompted for USER's password on HOST.) ... some communication between client and host, so we can probably rule out ...
    (Debian-User)
  • Re: how to get remote host name
    ... it means the IP address you provided has no associated host name ... if the remote connection gave you the ability to query its name via the ... I had used gethostbyaddrto retreive the hostname of the other side. ... If the server and the client in the same subnetwork everything work ...
    (microsoft.public.vc.mfc)
  • Re: [OT] run command via ssh - problem
    ... I tried hostname -s but I keep getting the following: ... for i in server1 server2; do ssh root@$i hostname; done ... the backtick is being invoked and therefore the host ... name is being passed as the command to execute on the remote machine: ...
    (Fedora)