On Mon, Jun 28, 2010 at 6:32 PM, Dan Mahoney, System Admin <danm@xxxxxxxxxxxxxxx> wrote: > Now, assume I have that file hashed, but sitting in my ~/.ssh/config file, I > have: > > # Server in guam is on overloaded DSL link > Host slowpoke > HostName slowpoke.secure.server.ad.company.com > ConnectTimeout 600 > User admin > > Well, there you go. Have fun. Even without the username, assume I have to > have other options in there like for port-forwards, or the like. > > Now, keeping information in known_hosts is automatic and mostly mandatory, > and config files like this are optional. I recognize that. > > But compare this with > > HostnameHash |1|JYh/HiqdBkaEKeg0KrS9cHncJRI=|Qc2hMsrOMpReJLyOxwmps3nnb0k= > ConnectTimeout 600 > User admin problem here is that we are not comparing fields. This field (Hostname) is read to replace the alias (Host). Hashing looses data. You don't get the original data back. So, in the config file you can implement hashing for the "Host" field, you cannot implement hashing for the "Hostname" field. Since the "Host" field is just a lookup field, the command line argument can be hashed and compared with the "Host" fields in the config file. The only way to go forward is to encrypt either the field or the complete file. Then you have to enter a passphrase every time you run "ssh" to decrypt the config file. This is in addition to entering a passphrase for your private key. -- And, did Galoka think the Ulus were too ugly to save? -Centauri