[arch-general] Any way to decrypt hashes set by ssh HashKnownHosts?

[eliott]

On 5/21/08, Thomas Bächler <thomas at archlinux.org> wrote:
>  The point is, without any notice, we provided a different configuration
> file than the upstream configuration file. That's not how we do it, we
> always provide the upstream configuration file.

wrong. We provide 'sane defaults'. I consider security to be sane. I
guess you don't. That is fine, for you.

>  If someone thinks that having unhased known_hosts is a security problem,
> then he/she can change this configuration option on his/her system, that is
> how Arch works.

If someone thinks that having unhashed known_hosts isn't a security
problem, then he/she can change this configuration option on his/her
system. That is how arch works.

See what I did there?

> But now that hashed known_hosts silently became the default,
> I cannot revert back.

Sure you can.
1. copy the known hosts file to a backup location.
2. Change the option (set it in your .ssh/config. This file overrides
the defaults if you were not aware), and remove the known_hosts file.
3. Connect to hosts. When an entry is made, do a hash compare if you
are concerned that the remote keyprint might have changed (ssh-keygen
can output a known_hosts hash for a non hashed known hosts file).

Also.. fyi..
knownhosts hashing option does not automagically convert an unhashed
known_hosts file. It would simply add hashed elements to the file,
resulting in a mix of hashed and non hashed. You would have had to run
ssh-keygen on the known_hosts file to get a full conversion.

So if all you have are hashed files, then you must have at some point:
- done a reinstall
- nuked the file and rebuilt it
- converted it manually yourself
- never actually cared about the change until you were slightly inconvenienced.