Re: Format of host keys in ~/.ssh/known_hosts



Ignoramus3837 <ignoramus3837@xxxxxxxxxxxxxxxxxxx> writes:
unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Russell Hoover <rj@xxxxxxxxx> wrote:
unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
unruh <unruh@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

SSH_KNOWN_HOSTS FILE FORMAT

That is a hashed host name, there so that if that file is
comprimized the person does not know which host it refers to.

[...]

I'm all for these things being there for the paranoid, but having
it as the default in /etc/ssh/ssh_config doesn't quite make sense
to me. I want to be able to look at my own known_hosts file and
know what's there so it doesn't become a big unweildy mess.

[...]

Hashing ssh keys is DEFINITELY the way to go, despite the
inconveniences.

Otherwise it would be possible to write an "ssh virus". Iif it
compromises an account, it would look at authorized keys,

I wonder, how authorized_keys relate to known_hosts, anyway?
(And how the latter does relate to id_dsa or id_rsa, especially
pasword-less ones?)

The only thing that ‘HashKnownHosts yes’ prevents is the
“enumeration” of “related” hosts. But that's also possible if
one uses per-host configuration in his or her ~/.ssh/config.
Also, it seems that the software searching for “interesting”
hosts could easily be reading Web instead, or check DNS, or
LDAP, or, why not?, iterate over all the LAN IPv4 space.

Therefore, HashKnownHosts seems like a cure for the wrong
illness to me.

guess what other accounts to try compromising with the keys from a
given host, and keep going.

I did a write up about an SSH virus a couple years ago.

So, yes, it is a hassle, but nothing else is acceptable.

--
FSF associate member #7257
.



Relevant Pages

  • Re: Format of host keys in ~/.ssh/known_hosts
    ... unruh wrote: ... comprimized the person does not know which host it refers to. ... compromises an account, it would look at authorized keys, ... cut the public keys since Aioe.org has a 79 characters per line ...
    (comp.security.ssh)
  • Re: Can I by-pass my ISP to email?
    ... unruh writes: ... from IP addresses that don't belong to machines pointed to ... How do you know that somewhere in the DNS space there is an MX record ... Your return address contains an MX host name. ...
    (comp.os.linux.networking)
  • Re: Displaying a different website based on source internet address ?
    ... document.location.host contains the host portion of the URL (in your ... script on that blue page. ... Check the host and if the host is 124.5.15.7 ... refers to blue page) would be: ...
    (comp.lang.javascript)
  • Re: Urgent: "lpc stat" and "lpc stat lj02" gives different result
    ... DNS is not set up on this machine. ... "aaa.bbb.ccc.ddd" only refers to the IPaddress of the printer. ... refer to the printer's host ID. ...
    (comp.unix.tru64)
  • Re: How to add an image to divisions without IDs
    ... Object or whatever the `this' value refers to in your case (depends on the ... execution context) when it should have referred to the element object that ... you want to add the element to (and you do not want to try augmenting a host ...
    (comp.lang.javascript)