[arch-general] Any way to decrypt hashes set by ssh HashKnownHosts?
Aaron Griffin
aaronmgriffin at gmail.com
Tue May 20 22:17:38 EDT 2008
On Tue, May 20, 2008 at 8:46 PM, eliott <eliott at cactuswax.net> wrote:
> On 5/20/08, Thomas Bächler <thomas at archlinux.org> wrote:
>> Aaron Griffin schrieb:
>>
>> > On Tue, May 20, 2008 at 2:05 PM, David Rosenstrauch <darose at darose.net>
>> wrote:
>> >
>> > > Problem is, though, since Arch recently turned on HashKnownHosts by
>> default
>> > > in ssh_config, those 2 lines in the known_hosts file are encrypted, and
>> so I
>> > > don't know which host machines that I've been ssh'ing into are affected
>> by
>> > > the problem.
>> > >
>> > I think the whole point is that they *are* one way hashes. The only
>> > think I can think of is to find the algorithm they use (sha1?) and
>> > hash the hostnames that you know, then compare.
>> >
>>
>> I didn't find out about this change until much later - and it pissed me
>> off. For no apparent reason, we changed the default configuration of openssh
>> at one point and now I have an obfuscated known_hosts file. I don't see any
>> security impact in having the hosts unhashed.
For the record, this change is almost exactly a year old:
http://repos.archlinux.org/viewvc.cgi/core/support/openssh/PKGBUILD?root=core&r1=1.56&r2=1.57
I actually think it is a pretty good idea. We could have probably made
it more visible, but at the same time, don't we always gripe at users
for not checking their config files?
> Just because you can't see it doesn't mean it doesn't exist.
> unhashed known_hosts *is* more unsecure.
>
> If someone gets access to your account, they would get
> a) your key
> b) a list of hosts that the key is valid for
>
> hey! great!
>
> Compund this with the fact that many people use keys without a
> passphrase (a bad practice), someone can 'harvest' known_host data,
> and worm out to other hosts.. here is the kicker ... in a way that is
> easily automated.
>
> http://www.google.com/search?q=known_hosts+harvesting
I agree. The implications of knowing a list of hosts that a user has
access to is HUGE. Gaining access to a user account suddenly becomes
much more dangerous
More information about the arch-general
mailing list