On Sun, 2006-03-12 at 06:12 +0530, Sudev Barar wrote:
On 11/03/06, Scot L. Harris webid@cfl.rr.com wrote:
On Sat, 2006-03-11 at 09:32 -0800, Bruno S. Delbono wrote:
Not only that, but newer versions of SSH allow you to encrypt your known_hosts file. From Damien Miller's Post:
Added the ability to store hostnames added to ~/.ssh/known_hosts in a hashed format. This is a privacy feature that prevents a local attacker from learning other hosts that a user has accounts on from their known_hosts file.
Interesting option. How do you sort out the problem when the remote host key changes (such as reloading the OS) and you need to delete the entry in the known_hosts file so ssh will work again with that system?
I understand the purpose of the option, just not sure how it would work when such changes occur. Deleting the entire known_hosts file would not be a good option IMHO.
And how secure does this make the known_hosts file? Is it a simple hash that can be obtained from the source?
For sake of clarity let us not use remote or local but client and server. You an be client sitting on local machine logging into remote server or client on remote logging in to server which is local.
AFAIK You can just copy the .ssh/authorized_keys2 file from old server to new server As this includs public key of clinet the remote log in from client would still work.
SSH method of setting up keys in the first place assumes you can generate key at client (only if you have access) and then export the public key to server (only if you have access there to). Once this is done you can log in from that unique client to the server. However if the client changes then you need to go through the process of regenerating publc key and installing it on server.
I understand this with the authorized_keys file. The original question was regarding the hashing of the known_hosts file. In my experience there have been many times when I have had to remove entries in the known_hosts file due to the host key changing on a system. My question was, if the known_hosts file is hashed how do you identify the entry for the particular host so it can be removed when needed?