Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th August 2013
frcc frcc is offline
Don't Worry Be Happy!
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 133
Default hashing known hosts file

Hi folks
What precaustions should I take prior to "hashing" known host BY:

changine entry in ssh_config

"HashKnowHosts yes" for future entries in hosts file


at command line entering

"ssh-keygen -H" for existing entries in hosts file

reading suggests i should do both but wasn't quite sure what else that may
would like not to go back through multiple servers and re-inventing the hosts

as usual thanks in advance......
Reply With Quote
  #2   (View Single Post)  
Old 20th August 2013
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,503

Hashing the .ssh/known_hosts file will save the old unhashed version:
# cd .ssh ; ls -l
total 20
-rw-r--r--  1 root  wheel   187 Dec 28  2012 authorized_keys
-rw-r--r--  1 root  wheel    31 Dec 29  2012 config
-rw-------  1 root  wheel   668 Dec 26  2012 id_dsa
-rw-r--r--  1 root  wheel   612 Dec 26  2012 id_dsa.pub
-rw-r--r--  1 root  wheel  1778 Jul  8 19:38 known_hosts
# ssh-keygen -H    
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ls -l
total 28
-rw-r--r--  1 root  wheel   187 Dec 28  2012 authorized_keys
-rw-r--r--  1 root  wheel    31 Dec 29  2012 config
-rw-------  1 root  wheel   668 Dec 26  2012 id_dsa
-rw-r--r--  1 root  wheel   612 Dec 26  2012 id_dsa.pub
-rw-------  1 root  wheel  3394 Aug 20 10:46 known_hosts
-rw-r--r--  1 root  wheel  1778 Jul  8 19:38 known_hosts.old
The difference:

# # head -1 known_hosts.old
parmenides.utp.xnet ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsXM+2cMdwfVFil240QII049DXlnzaOVw8bCNx4a4hl2dzJ5Y7CBa5Z73kXVYmqr2rIj+vuQ+PNEsOVlcGC5tA=

# head -1 known_hosts

# head -1 known_hosts
|1|19rRcmvSV0eR6zhYyRXq+bDKq9s=|xVmzJXtcH81Tkm+8RYyaawfSA5o= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsXM+2cMdwfVFil240QII049DXlnzaOVw8bCNx4a4hl2DzJ5Y7CBa5Z73kXVYmqr2rIj+vuQ+PNEsOVlcGC5tA=
So IMHO it is quite safe to do this

To prevent new hosts being added with their unhashed values you should set HashKnownHosts to yes in ssh_config. So it is not '.OR.' but '.AND.'
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
NIST names Keccak hashing algorithm as SHA-3 J65nko News 0 3rd October 2012 09:24 PM
hosts.allow and hosts.deny amrogers3 OpenBSD Security 10 10th November 2011 11:28 AM
German hacker uses rented computing to crack hashing algorithm J65nko News 0 18th November 2010 07:31 PM
LLVM milestone reached - Clang compiler self-hosts J65nko News 0 5th February 2010 03:48 PM
Discovering SSH versions of compromised hosts with nc(1) J65nko General software and network 1 31st December 2009 11:01 AM

All times are GMT. The time now is 12:06 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick