[arch-general] Any way to decrypt hashes set by ssh HashKnownHosts?
Just on a whim, I decided to try out the Debian tool to scan for weak keys resulting from the recent openssl security hole. And lo and behold, it found 2 weak keys in my known_hosts file! Problem is, though, since Arch recently turned on HashKnownHosts by default in ssh_config, those 2 lines in the known_hosts file are encrypted, and so I don't know which host machines that I've been ssh'ing into are affected by the problem. Anyone know if there's any way to decrypt the hashes created by the HashKnownHosts setting? TIA, DR
On Tue, May 20, 2008 at 2:05 PM, David Rosenstrauch <darose@darose.net> wrote:
Just on a whim, I decided to try out the Debian tool to scan for weak keys resulting from the recent openssl security hole. And lo and behold, it found 2 weak keys in my known_hosts file!
Problem is, though, since Arch recently turned on HashKnownHosts by default in ssh_config, those 2 lines in the known_hosts file are encrypted, and so I don't know which host machines that I've been ssh'ing into are affected by the problem.
Anyone know if there's any way to decrypt the hashes created by the HashKnownHosts setting?
I think the whole point is that they *are* one way hashes. The only think I can think of is to find the algorithm they use (sha1?) and hash the hostnames that you know, then compare. Alternatively, just remove those two and if you get the "(yes/no)" prompt you know that's the host 8)
Aaron Griffin wrote:
Anyone know if there's any way to decrypt the hashes created by the HashKnownHosts setting?
I think the whole point is that they *are* one way hashes. The only think I can think of is to find the algorithm they use (sha1?) and hash the hostnames that you know, then compare.
Alternatively, just remove those two and if you get the "(yes/no)" prompt you know that's the host 8)
That's kinda what I thought. Although, one of the hostname strings had an "=" at the end, so I was wondering if it might just have been something base64-oriented. Unfortunately I have no idea what machines they are. They're not machines that I use often (e.g., my home server, or my hosting isp), and since they're at the bottom of the known_hosts file (and have been hashed, which I think is a fairly recent setting change for Arch's openssh package) I assume they've been added recently. So I'm guessing they're machines here on our work network, and I'd like to know which ones. I can't think of any new machines I've SSH'ed into lately, though. Ah well. I deleted them from the known_hosts, and turned HashKnownHosts off for now, and I guess I'll just pay close attention the next time SSH asks me about a new host. Thanks, DR
Aaron Griffin schrieb:
Problem is, though, since Arch recently turned on HashKnownHosts by default in ssh_config, those 2 lines in the known_hosts file are encrypted, and so I don't know which host machines that I've been ssh'ing into are affected by the problem. I think the whole point is that they *are* one way hashes. The only
On Tue, May 20, 2008 at 2:05 PM, David Rosenstrauch <darose@darose.net> wrote: think I can think of is to find the algorithm they use (sha1?) and hash the hostnames that you know, then compare.
I didn't find out about this change until much later - and it pissed me off. For no apparent reason, we changed the default configuration of openssh at one point and now I have an obfuscated known_hosts file. I don't see any security impact in having the hosts unhashed.
On 5/20/08, Thomas Bächler <thomas@archlinux.org> wrote:
Aaron Griffin schrieb:
On Tue, May 20, 2008 at 2:05 PM, David Rosenstrauch <darose@darose.net> wrote:
Problem is, though, since Arch recently turned on HashKnownHosts by default in ssh_config, those 2 lines in the known_hosts file are encrypted, and so I don't know which host machines that I've been ssh'ing into are affected by the problem.
I think the whole point is that they *are* one way hashes. The only think I can think of is to find the algorithm they use (sha1?) and hash the hostnames that you know, then compare.
I didn't find out about this change until much later - and it pissed me off. For no apparent reason, we changed the default configuration of openssh at one point and now I have an obfuscated known_hosts file. I don't see any security impact in having the hosts unhashed.
Just because you can't see it doesn't mean it doesn't exist. unhashed known_hosts *is* more unsecure. If someone gets access to your account, they would get a) your key b) a list of hosts that the key is valid for hey! great! Compund this with the fact that many people use keys without a passphrase (a bad practice), someone can 'harvest' known_host data, and worm out to other hosts.. here is the kicker ... in a way that is easily automated. http://www.google.com/search?q=known_hosts+harvesting
On Tue, May 20, 2008 at 8:46 PM, eliott <eliott@cactuswax.net> wrote:
On 5/20/08, Thomas Bächler <thomas@archlinux.org> wrote:
Aaron Griffin schrieb:
On Tue, May 20, 2008 at 2:05 PM, David Rosenstrauch <darose@darose.net> wrote:
Problem is, though, since Arch recently turned on HashKnownHosts by default in ssh_config, those 2 lines in the known_hosts file are encrypted, and so I don't know which host machines that I've been ssh'ing into are affected by the problem.
I think the whole point is that they *are* one way hashes. The only think I can think of is to find the algorithm they use (sha1?) and hash the hostnames that you know, then compare.
I didn't find out about this change until much later - and it pissed me off. For no apparent reason, we changed the default configuration of openssh at one point and now I have an obfuscated known_hosts file. I don't see any security impact in having the hosts unhashed.
For the record, this change is almost exactly a year old: http://repos.archlinux.org/viewvc.cgi/core/support/openssh/PKGBUILD?root=core&r1=1.56&r2=1.57 I actually think it is a pretty good idea. We could have probably made it more visible, but at the same time, don't we always gripe at users for not checking their config files?
Just because you can't see it doesn't mean it doesn't exist. unhashed known_hosts *is* more unsecure.
If someone gets access to your account, they would get a) your key b) a list of hosts that the key is valid for
hey! great!
Compund this with the fact that many people use keys without a passphrase (a bad practice), someone can 'harvest' known_host data, and worm out to other hosts.. here is the kicker ... in a way that is easily automated.
I agree. The implications of knowing a list of hosts that a user has access to is HUGE. Gaining access to a user account suddenly becomes much more dangerous
Hi, Was this change forwarded to the OpenSSH developers? I am sure that if it is indeed better security-wise to hash the known_hosts file, they would change the default configuration upstream. I'm also sure that they would give very good reasons for not wanting to do so. Thanks, Dimitris
On Wed, May 21, 2008 at 4:50 PM, Dimitrios Apostolou <jimis@gmx.net> wrote:
Hi,
Was this change forwarded to the OpenSSH developers? I am sure that if it is indeed better security-wise to hash the known_hosts file, they would change the default configuration upstream. I'm also sure that they would give very good reasons for not wanting to do so.
So I just went googling about this stuff. I saw this option got enabled years ago on Debian, and after that a few users complained about that change, but without any real reasons. (so a bit like what is happening here now :)) Anyway, there was a huge thread on debian mailing list, I finally found one mail which partially answers your question : http://lists.debian.org/debian-devel/2005/07/msg00041.html
On Wed, 2008-05-21 at 17:44 +0200, Xavier wrote:
On Wed, May 21, 2008 at 4:50 PM, Dimitrios Apostolou <jimis@gmx.net> wrote:
Hi,
Was this change forwarded to the OpenSSH developers? I am sure that if it is indeed better security-wise to hash the known_hosts file, they would change the default configuration upstream. I'm also sure that they would give very good reasons for not wanting to do so.
So I just went googling about this stuff. I saw this option got enabled years ago on Debian, and after that a few users complained about that change, but without any real reasons. (so a bit like what is happening here now :)) Anyway, there was a huge thread on debian mailing list, I finally found one mail which partially answers your question : http://lists.debian.org/debian-devel/2005/07/msg00041.html
Thanks but I had read that before posting, as I had also been reading the openssh source code to understand how known_hosts matching is being performed. I have also read the same answer in 2005 on the openssh-dev ML, "it will probably be the default really soon". Still it is 2008 and it is not the default, that's why I asked what I asked. Why isn't it the default in OpenSSH? I have some fears that it *might* be a security threat to have a hashed known_hosts file, however I didn't want to say it publicly since I'm not sure at all. The fact that fears me is that by hashing the known_hosts file information is lost, in particular the information that binds the IP address to the hostname. With unhashed known_hosts they are both recorded on the same line. With hashed known_hosts each one is independently recorded on different lines. I am only speculating here, I haven't fully understood how openssh does its checks. We should be careful about *security* choices we make. Especially these choices should be made on vast community majority, not on the personal decision of a package maintainer. I am talking about general arch policy here, I have tried to raise discussion on other security issues too but got the feeling of being ignored by the devs, and that discuss on their private list and mostly announce here. Lastly, FYI I don't consider debian an example of good security policy. They keep changing things to satisfy their project's bugzilla but they keep being bitten by the fact that upstream doesn't always agree with them. Dimitris
On Wed, May 21, 2008 at 3:52 PM, Dimitrios Apostolou <jimis@gmx.net> wrote:
The fact that fears me is that by hashing the known_hosts file information is lost, in particular the information that binds the IP address to the hostname.
You are more than welcome to change the config settings. In all my history with arch, we have always pointed fingers at the end user for not paying attention to their config files, and I seriously have no idea why this is a big deal now, a year after this change was made. Sure it could have been more visible, but we have always held that the config files are _your_ job.
On Wed, 2008-05-21 at 16:12 -0500, Aaron Griffin wrote:
On Wed, May 21, 2008 at 3:52 PM, Dimitrios Apostolou <jimis@gmx.net> wrote:
The fact that fears me is that by hashing the known_hosts file information is lost, in particular the information that binds the IP address to the hostname.
You are more than welcome to change the config settings. In all my history with arch, we have always pointed fingers at the end user for not paying attention to their config files, and I seriously have no idea why this is a big deal now, a year after this change was made. Sure it could have been more visible, but we have always held that the config files are _your_ job.
Hey No Problem. I have changed most of my config files a year ago, I just grab the opportunity to discuss that now that it's hot. My main point is that it should have been hot a year ago. I'm also struggling to figure out why I disliked this change that much back then. :-s Dimitris
On Wed, May 21, 2008 at 9:50 AM, Dimitrios Apostolou <jimis@gmx.net> wrote:
Hi,
Was this change forwarded to the OpenSSH developers? I am sure that if it is indeed better security-wise to hash the known_hosts file, they would change the default configuration upstream. I'm also sure that they would give very good reasons for not wanting to do so.
It's not a patch, it's a config file setting that we switched from "off" to "on"
eliott schrieb:
Just because you can't see it doesn't mean it doesn't exist. unhashed known_hosts *is* more unsecure.
If someone gets access to your account, they would get a) your key b) a list of hosts that the key is valid for
hey! great!
Compund this with the fact that many people use keys without a passphrase (a bad practice), someone can 'harvest' known_host data, and worm out to other hosts.. here is the kicker ... in a way that is easily automated.
The point is, without any notice, we provided a different configuration file than the upstream configuration file. That's not how we do it, we always provide the upstream configuration file. If someone thinks that having unhased known_hosts is a security problem, then he/she can change this configuration option on his/her system, that is how Arch works. But now that hashed known_hosts silently became the default, I cannot revert back.
On 5/21/08, Thomas Bächler <thomas@archlinux.org> wrote:
The point is, without any notice, we provided a different configuration file than the upstream configuration file. That's not how we do it, we always provide the upstream configuration file.
wrong. We provide 'sane defaults'. I consider security to be sane. I guess you don't. That is fine, for you.
If someone thinks that having unhased known_hosts is a security problem, then he/she can change this configuration option on his/her system, that is how Arch works.
If someone thinks that having unhashed known_hosts isn't a security problem, then he/she can change this configuration option on his/her system. That is how arch works. See what I did there?
But now that hashed known_hosts silently became the default, I cannot revert back.
Sure you can. 1. copy the known hosts file to a backup location. 2. Change the option (set it in your .ssh/config. This file overrides the defaults if you were not aware), and remove the known_hosts file. 3. Connect to hosts. When an entry is made, do a hash compare if you are concerned that the remote keyprint might have changed (ssh-keygen can output a known_hosts hash for a non hashed known hosts file). Also.. fyi.. knownhosts hashing option does not automagically convert an unhashed known_hosts file. It would simply add hashed elements to the file, resulting in a mix of hashed and non hashed. You would have had to run ssh-keygen on the known_hosts file to get a full conversion. So if all you have are hashed files, then you must have at some point: - done a reinstall - nuked the file and rebuilt it - converted it manually yourself - never actually cared about the change until you were slightly inconvenienced.
Thomas Bächler wrote:
I didn't find out about this change until much later - and it pissed me off. For no apparent reason, we changed the default configuration of openssh at one point and now I have an obfuscated known_hosts file.
I agree - it would have been better for there to have been a bit more noise made about this change. If it was reported anywhere I must have missed it.
I don't see any security impact in having the hosts unhashed.
Apparently there was a paper published by MIT researchers a couple of years back that described how an attacker could use the SSH known_hosts file to propagate a worm: http://lwn.net/Articles/135506/ In theory it makes sense, but I'm wondering how feasible a threat it is in practice. DR
participants (6)
-
Aaron Griffin
-
David Rosenstrauch
-
Dimitrios Apostolou
-
eliott
-
Thomas Bächler
-
Xavier