[CentOS] sshd hack

Sudev Barar sbarar at gmail.com
Sun Mar 12 00:42:23 UTC 2006


On 11/03/06, Scot L. Harris <webid at cfl.rr.com> wrote:
> On Sat, 2006-03-11 at 09:32 -0800, Bruno S. Delbono wrote:
>
> > Not only that, but newer versions of SSH allow you to encrypt your
> > known_hosts file. From Damien Miller's Post:
> >
> > Added the ability to store hostnames added to ~/.ssh/known_hosts in a
> > hashed format. This is a privacy feature that prevents a local attacker
> > from learning other hosts that a user has accounts on from their
> > known_hosts file.
> >
>
> Interesting option.  How do you sort out the problem when the remote
> host key changes (such as reloading the OS) and you need to delete the
> entry in the known_hosts file so ssh will work again with that system?
>
> I understand the purpose of the option, just not sure how it would work
> when such changes occur.  Deleting the entire known_hosts file would not
> be a good option IMHO.
>
> And how secure does this make the known_hosts file?  Is it a simple hash
> that can be obtained from the source?

For sake of clarity let us not use remote or local but client and
server. You an be client sitting on local machine logging into remote
server or client on remote logging in to server which is local.

AFAIK You can just copy the .ssh/authorized_keys2 file from old server
to new server As this includs public key of clinet the remote log in
from client would still work.

SSH method of setting up keys in the first place assumes you can
generate key at client (only if you have access) and then export the
public key to server (only if you have access there to). Once this is
done you can log in from that unique client to the server. However if
the client changes then you need to go through the process of
regenerating publc key and installing it on server.
--
Sudev Barar
Learning Linux



More information about the CentOS mailing list