21 May
2008
21 May
'08
1:47 a.m.
Thomas Bächler wrote:
I didn't find out about this change until much later - and it pissed me off. For no apparent reason, we changed the default configuration of openssh at one point and now I have an obfuscated known_hosts file.
I agree - it would have been better for there to have been a bit more noise made about this change. If it was reported anywhere I must have missed it.
I don't see any security impact in having the hosts unhashed.
Apparently there was a paper published by MIT researchers a couple of years back that described how an attacker could use the SSH known_hosts file to propagate a worm: http://lwn.net/Articles/135506/ In theory it makes sense, but I'm wondering how feasible a threat it is in practice. DR