Feature #14995

Hash ~/.ssh/known_hosts by default

Added by tailshark about 2 years ago. Updated almost 2 years ago.

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:
Affected tool:



I've been doing a lot of work over ssh and recently noticed the known_hosts file (which I backup to KeePass) uses the plain text IP entries with associated fingerprints. I do have a concern about a browser bug or creeping exploit (that sneaks around AppArmor somehow) lifting the file and exposing all my server IPs in one hit. Even a "hot laptop theft" could expose them all.

I hashed the file manually for storage with:

ssh-keygen -H -f ~/.ssh/known_hosts

And I've added a config file to the ~/.ssh folder as follows:

mkdir -p ~/.ssh
echo "HashKnownHosts yes" > ~/.ssh/config
chmod 400 ~/.ssh/config

Automatic hashing works as expected.

Should this be a default setting?

I don't see any downside risks to it being a default.

Thanks for everything you guys do btw. I know things can be wrestlemania with practical implementation.

Associated revisions

Revision 022c318d (diff)
Added by intrigeri about 2 years ago

SSH client: enable HashKnownHosts (refs: #14995)

Debian enables HashKnownHosts by default via /etc/ssh/ssh_config
for good reasons, let's not revert to the upstream default.

Revision ca8bfa80
Added by anonym about 2 years ago

Merge remote-tracking branch 'origin/bugfix/14995-hash-ssh-known-hosts' into stable

Fix-committed: #14995


#1 Updated by mercedes508 about 2 years ago

  • Assignee set to intrigeri

Letting some devs discuss it further, as I can't judge of the consequences as a simple help deskmember :)

#2 Updated by intrigeri about 2 years ago

  • Description updated (diff)

#3 Updated by intrigeri about 2 years ago

  • Status changed from New to Confirmed
  • Target version set to Tails_3.5
  • Type of work changed from Discuss to Code

Debian enables HashKnownHosts by default via /etc/ssh/ssh_config… but we replace this file with our own, hence reverting to the default upstream setting that's HashKnownHosts no. I'll fix that.

The drawback of enabling HashKnownHosts is about usability: IIRC it breaks ssh <TAB> completion. Outside of Tails arguably it does not matter much as one can use their shell history instead… but in Tails we have no shell history. Anyway, the kind of users who rely on such things can very well add sections about the hosts they frequently connect to to ~/.ssh/config and then I think bash will get the completion right (at least zsh does).

#4 Updated by intrigeri about 2 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/14995-hash-ssh-known-hosts

#5 Updated by intrigeri about 2 years ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

#6 Updated by anonym about 2 years ago

  • Status changed from In Progress to 11
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Good luck to all Tails users that now will have to learn the rather ssh-keygen -F! :)

#7 Updated by intrigeri almost 2 years ago

  • Target version changed from Tails_3.5 to Tails_3.4

#8 Updated by anonym almost 2 years ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF