Re: Format of host keys in ~/.ssh/known_hosts

Ignoramus3837 <ignoramus3837@xxxxxxxxxxxxxxxxxxx> writes:
unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Russell Hoover <rj@xxxxxxxxx> wrote:
unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:


That is a hashed host name, there so that if that file is
comprimized the person does not know which host it refers to.


I'm all for these things being there for the paranoid, but having
it as the default in /etc/ssh/ssh_config doesn't quite make sense
to me. I want to be able to look at my own known_hosts file and
know what's there so it doesn't become a big unweildy mess.


Hashing ssh keys is DEFINITELY the way to go, despite the

Otherwise it would be possible to write an "ssh virus". Iif it
compromises an account, it would look at authorized keys,

I wonder, how authorized_keys relate to known_hosts, anyway?
(And how the latter does relate to id_dsa or id_rsa, especially
pasword-less ones?)

The only thing that ‘HashKnownHosts yes’ prevents is the
“enumeration” of “related” hosts. But that's also possible if
one uses per-host configuration in his or her ~/.ssh/config.
Also, it seems that the software searching for “interesting”
hosts could easily be reading Web instead, or check DNS, or
LDAP, or, why not?, iterate over all the LAN IPv4 space.

Therefore, HashKnownHosts seems like a cure for the wrong
illness to me.

guess what other accounts to try compromising with the keys from a
given host, and keep going.

I did a write up about an SSH virus a couple years ago.

So, yes, it is a hassle, but nothing else is acceptable.

FSF associate member #7257