Hashing the
.ssh/known_hosts file will save the old unhashed version:
Code:
# cd .ssh ; ls -l
total 20
-rw-r--r-- 1 root wheel 187 Dec 28 2012 authorized_keys
-rw-r--r-- 1 root wheel 31 Dec 29 2012 config
-rw------- 1 root wheel 668 Dec 26 2012 id_dsa
-rw-r--r-- 1 root wheel 612 Dec 26 2012 id_dsa.pub
-rw-r--r-- 1 root wheel 1778 Jul 8 19:38 known_hosts
# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ls -l
total 28
-rw-r--r-- 1 root wheel 187 Dec 28 2012 authorized_keys
-rw-r--r-- 1 root wheel 31 Dec 29 2012 config
-rw------- 1 root wheel 668 Dec 26 2012 id_dsa
-rw-r--r-- 1 root wheel 612 Dec 26 2012 id_dsa.pub
-rw------- 1 root wheel 3394 Aug 20 10:46 known_hosts
-rw-r--r-- 1 root wheel 1778 Jul 8 19:38 known_hosts.old
The difference:
Code:
# # head -1 known_hosts.old
parmenides.utp.xnet ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsXM+2cMdwfVFil240QII049DXlnzaOVw8bCNx4a4hl2dzJ5Y7CBa5Z73kXVYmqr2rIj+vuQ+PNEsOVlcGC5tA=
# head -1 known_hosts
# head -1 known_hosts
|1|19rRcmvSV0eR6zhYyRXq+bDKq9s=|xVmzJXtcH81Tkm+8RYyaawfSA5o= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsXM+2cMdwfVFil240QII049DXlnzaOVw8bCNx4a4hl2DzJ5Y7CBa5Z73kXVYmqr2rIj+vuQ+PNEsOVlcGC5tA=
So IMHO it is quite safe to do this
To prevent new hosts being added with their unhashed values you should set
HashKnownHosts to
yes in
ssh_config. So it is not '.OR.' but '.AND.'