On 5/20/08, Thomas Bächler <thomas@archlinux.org> wrote:
Aaron Griffin schrieb:
On Tue, May 20, 2008 at 2:05 PM, David Rosenstrauch <darose@darose.net> wrote:
Problem is, though, since Arch recently turned on HashKnownHosts by default in ssh_config, those 2 lines in the known_hosts file are encrypted, and so I don't know which host machines that I've been ssh'ing into are affected by the problem.
I think the whole point is that they *are* one way hashes. The only think I can think of is to find the algorithm they use (sha1?) and hash the hostnames that you know, then compare.
I didn't find out about this change until much later - and it pissed me off. For no apparent reason, we changed the default configuration of openssh at one point and now I have an obfuscated known_hosts file. I don't see any security impact in having the hosts unhashed.
Just because you can't see it doesn't mean it doesn't exist. unhashed known_hosts *is* more unsecure. If someone gets access to your account, they would get a) your key b) a list of hosts that the key is valid for hey! great! Compund this with the fact that many people use keys without a passphrase (a bad practice), someone can 'harvest' known_host data, and worm out to other hosts.. here is the kicker ... in a way that is easily automated. http://www.google.com/search?q=known_hosts+harvesting