Hash ~/.ssh/known_hosts by default
I've been doing a lot of work over ssh and recently noticed the known_hosts file (which I backup to KeePass) uses the plain text IP entries with associated fingerprints. I do have a concern about a browser bug or creeping exploit (that sneaks around AppArmor somehow) lifting the file and exposing all my server IPs in one hit. Even a "hot laptop theft" could expose them all.
I hashed the file manually for storage with:
ssh-keygen -H -f ~/.ssh/known_hosts
And I've added a config file to the ~/.ssh folder as follows:
mkdir -p ~/.ssh echo "HashKnownHosts yes" > ~/.ssh/config chmod 400 ~/.ssh/config
Automatic hashing works as expected.
Should this be a default setting?
I don't see any downside risks to it being a default.
Thanks for everything you guys do btw. I know things can be wrestlemania with practical implementation.
SSH client: enable HashKnownHosts (refs: #14995)
Debian enables HashKnownHosts by default via /etc/ssh/ssh_config
for good reasons, let's not revert to the upstream default.
#3 Updated by intrigeri over 1 year ago
- Status changed from New to Confirmed
- Target version set to Tails_3.5
- Type of work changed from Discuss to Code
HashKnownHosts by default via
/etc/ssh/ssh_config… but we replace this file with our own, hence reverting to the default upstream setting that's
HashKnownHosts no. I'll fix that.
The drawback of enabling
HashKnownHosts is about usability: IIRC it breaks
ssh <TAB> completion. Outside of Tails arguably it does not matter much as one can use their shell history instead… but in Tails we have no shell history. Anyway, the kind of users who rely on such things can very well add sections about the hosts they frequently connect to to
~/.ssh/config and then I think bash will get the completion right (at least zsh does).