Re: Format of host keys in ~/.ssh/known_hosts



On 2010-02-07, Ignoramus3837 <ignoramus3837@xxxxxxxxxxxxxxxxxxx> wrote:
On 2010-02-07, unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2010-02-07, Russell Hoover <rj@xxxxxxxxx> wrote:
On Sun, 07 Feb 2010 05:57:34 GMT, unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2010-02-07, unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
SSH_KNOWN_HOSTS FILE FORMAT
That is a hashed host name, there so that if that file is comprimized
the person does not know which host it refers to.

HashKnownHosts yes
in /etc/ssh/ssh_config
which tells it to hash the hostname. REmove that and get human readable
hostnames.

I'm all for these things being there for the paranoid, but having it as the
default in /etc/ssh/ssh_config doesn't quite make sense to me. I want to
be able to look at my own known_hosts file and know what's there so it
doesn't become a big unweildy mess.

It is your distribution which, I believe, made it the default. Certainly
the stock ssh default has been to have this as no. What distro are you using?

Hashing ssh keys is DEFINITELY the way to go, despite the
inconveniences.

Otherwise it would be possible to write an "ssh virus". Iif it
compromises an account, it would look at authorized keys, guess what
other accounts to try compromising with the keys from a given host,
and keep going.

Yes, we got hit by precisely such an attack (on root moreover-- don't
ask how, except that the "advice" that authorized_keys logins are safer
than password logins for root is misplaced under this attack.)



I did a write up about an SSH virus a couple years ago.

So, yes, it is a hassle, but nothing else is acceptable.

sure it is. Note that if it is a root attack, then all games are up
anyway. All the key files are open now.


.



Relevant Pages

  • Re: How can I configure to run as root all the time ?
    ... Thanks for responding to my query related to SSH. ... NCP1 is a host with some defined IP address like 10.1.1.201. ... I want to run ssh/scp as root because the keys will be generated by ...
    (comp.security.ssh)
  • Re: How can I configure SSH to run as root all the time ?
    ... NCP2 is a host with some defined IP address. ... with setuid bit set as root and some processes running as nwkuser on ... Is there any way I can create id_rsa keys as some different user than ...
    (comp.security.ssh)
  • Re: Format of host keys in ~/.ssh/known_hosts
    ... That is a hashed host name, there so that if that file is comprimized ... Hashing ssh keys is DEFINITELY the way to go, ... Otherwise it would be possible to write an "ssh virus". ... we got hit by precisely such an attack (on root moreover-- don't ...
    (comp.security.ssh)
  • Re: Format of host keys in ~/.ssh/known_hosts
    ... That is a hashed host name, there so that if that file is comprimized ... Hashing ssh keys is DEFINITELY the way to go, ... Otherwise it would be possible to write an "ssh virus". ... compromises an account, it would look at authorized keys, guess what ...
    (comp.security.ssh)
  • User Mode Linux = Network Failed !
    ... For UML, root filesystem is Debian 3.0, ip adress 192.168.1.101, ... On the host: ... Initializing software serial port version 1 ... Configuring network interfaces: done. ...
    (comp.os.linux.development.system)