On Mon, 28 Jun 2010, Greg Wooledge wrote:
On Sun, Jun 27, 2010 at 05:08:14PM -0400, Dan Mahoney, System Admin wrote:
SSH allows the option of hashing the known-hosts file in order to prevent
people who get access to your account being able to jump other places. Is
is not conceivable that they'd want the same option with their options
file?
It doesn't make sense. The point of a hash (at least in this context)
is that you cannot reverse it to get the original data back. When ssh is
connecting to a host, it has the hostname available, because you typed
it on the command line. It can hash the hostname, and then look up the
hash in the known_hosts file.
What? I think you're not understanding this, then.
The point of the hash is that if, someone has compromised my account (via
brute force, keyboard surfing, evil sysadmin, whatever, and whatever else
it contains (trusted keys, kerberos credentials, etc), they could look in
my known_hosts file and see what other hosts they could log into.
Now, assume I have that file hashed, but sitting in my ~/.ssh/config file,
I have:
# Server in guam is on overloaded DSL link
Host slowpoke
HostName slowpoke.secure.server.ad.company.com
ConnectTimeout 600
User admin
Well, there you go. Have fun. Even without the username, assume I have to
have other options in there like for port-forwards, or the like.
Now, keeping information in known_hosts is automatic and mostly mandatory,
and config files like this are optional. I recognize that.
But compare this with
HostnameHash |1|JYh/HiqdBkaEKeg0KrS9cHncJRI=|Qc2hMsrOMpReJLyOxwmps3nnb0k=
ConnectTimeout 600
User admin
(Assume that the lookup of the hash was done AFTER resolving the FQDN in
dns, like I said).
Yes, you can confirm that that host is also present in my known-hosts, but
you cannot log into it.
For the purposes of this discussion we'll assume I have shell-history
turned off.
This doesn't apply to options. The ssh client would have to have the
option already, so it could hash it and look for the hash in the file,
to see whether it should have the option. As I said, it's nonsense.
Actually, you hadn't said that.
Yes, I recognize this is a corner-case, but other than saying it's
"nonsense" please tell me this would be less secure, and please feel free
to tell me there's no use-case for it.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------