On Tue, May 20, 2008 at 8:46 PM, eliott <eliott@xxxxxxxxxxxxx> wrote: > On 5/20/08, Thomas Bächler <thomas@xxxxxxxxxxxxx> wrote: >> Aaron Griffin schrieb: >> >> > On Tue, May 20, 2008 at 2:05 PM, David Rosenstrauch <darose@xxxxxxxxxx> >> wrote: >> > >> > > Problem is, though, since Arch recently turned on HashKnownHosts by >> default >> > > in ssh_config, those 2 lines in the known_hosts file are encrypted, and >> so I >> > > don't know which host machines that I've been ssh'ing into are affected >> by >> > > the problem. >> > > >> > I think the whole point is that they *are* one way hashes. The only >> > think I can think of is to find the algorithm they use (sha1?) and >> > hash the hostnames that you know, then compare. >> > >> >> I didn't find out about this change until much later - and it pissed me >> off. For no apparent reason, we changed the default configuration of openssh >> at one point and now I have an obfuscated known_hosts file. I don't see any >> security impact in having the hosts unhashed. For the record, this change is almost exactly a year old: http://repos.archlinux.org/viewvc.cgi/core/support/openssh/PKGBUILD?root=core&r1=1.56&r2=1.57 I actually think it is a pretty good idea. We could have probably made it more visible, but at the same time, don't we always gripe at users for not checking their config files? > Just because you can't see it doesn't mean it doesn't exist. > unhashed known_hosts *is* more unsecure. > > If someone gets access to your account, they would get > a) your key > b) a list of hosts that the key is valid for > > hey! great! > > Compund this with the fact that many people use keys without a > passphrase (a bad practice), someone can 'harvest' known_host data, > and worm out to other hosts.. here is the kicker ... in a way that is > easily automated. > > http://www.google.com/search?q=known_hosts+harvesting I agree. The implications of knowing a list of hosts that a user has access to is HUGE. Gaining access to a user account suddenly becomes much more dangerous
