On Sun, 2006-03-12 at 06:12 +0530, Sudev Barar wrote: > On 11/03/06, Scot L. Harris <webid at cfl.rr.com> wrote: > > On Sat, 2006-03-11 at 09:32 -0800, Bruno S. Delbono wrote: > > > > > Not only that, but newer versions of SSH allow you to encrypt your > > > known_hosts file. From Damien Miller's Post: > > > > > > Added the ability to store hostnames added to ~/.ssh/known_hosts in a > > > hashed format. This is a privacy feature that prevents a local attacker > > > from learning other hosts that a user has accounts on from their > > > known_hosts file. > > > > > > > Interesting option. How do you sort out the problem when the remote > > host key changes (such as reloading the OS) and you need to delete the > > entry in the known_hosts file so ssh will work again with that system? > > > > I understand the purpose of the option, just not sure how it would work > > when such changes occur. Deleting the entire known_hosts file would not > > be a good option IMHO. > > > > And how secure does this make the known_hosts file? Is it a simple hash > > that can be obtained from the source? > > For sake of clarity let us not use remote or local but client and > server. You an be client sitting on local machine logging into remote > server or client on remote logging in to server which is local. > > AFAIK You can just copy the .ssh/authorized_keys2 file from old server > to new server As this includs public key of clinet the remote log in > from client would still work. > > SSH method of setting up keys in the first place assumes you can > generate key at client (only if you have access) and then export the > public key to server (only if you have access there to). Once this is > done you can log in from that unique client to the server. However if > the client changes then you need to go through the process of > regenerating publc key and installing it on server. I understand this with the authorized_keys file. The original question was regarding the hashing of the known_hosts file. In my experience there have been many times when I have had to remove entries in the known_hosts file due to the host key changing on a system. My question was, if the known_hosts file is hashed how do you identify the entry for the particular host so it can be removed when needed?