On Wed, Jun 17, 2009 at 3:03 PM, prad<prad@xxxxxxxxxxxxxxxxxx> wrote: > On Wed, 17 Jun 2009 00:12:02 -0500 > Aaron Griffin <aaronmgriffin@xxxxxxxxx> wrote: > >> Knowing your known_hosts, if someone hacks one account they, in >> essence, hack all of them - assuming you have ssh keys setup (or use >> the same password everywhere), they now have a list of where your key >> works >> > ok i see the idea. so it all boils down to being able to crack one > account first though. the known_hosts just tells you what the others > locations are. > > however, having access to the known_hosts doesn't make it possible to > crack anything right, because the actual key is stored elsewhere. Well, if your private key is on the account they just hacked, then they have access to all machines you do. If you private key is on your local machine and you use ssh-agent, then that's not the case - unless of course they hack your local machine. Then the same issue applies. > i just looked at the known_hosts file (not encrypted) and saw that each > entry has a ssh-rsa portion to it. that has no relation to the rsa keys > i generate with ssh-keygen, so what purpose does it serve? there is no > manpage for known_hosts, so is there some doc that can explain the > structure of this file? That's the server key. If it changes, ssh will yell loudly, saying that "hey this isn't the same server you connected to before, something seems fishy!". All ssh servers have their own keys
