[Cialug] ssh oddness

[Zachary Kotlarek]

On Nov 11, 2008, at 3:24 PM, Daniel A. Ramaley wrote:

> In the past when i'd ssh to a new machine an entry would get written  
> to
> my ~/.ssh/known_hosts file of this basic form:
>
> hostname.mydomain.edu,10.1.2.3 ssh-rsa AAAAB3N<random gobbledygook>==
>
> But lately i get a much less useful entry that looks more like this:
>
> |1|<random gobbledygook>= ssh-rsa AAAAB3N<random gobbledygook>==
>
> and it is no longer possible to see which entry belongs to what  
> machine.
> Any idea what might have changed to cause this, and how to change it
> back?

The option for OpenSSH is "HashKnownHosts". It's new in the last year  
to OpenSSH, and while not the default in the OpenSSH sources it is the  
default in many distros. Unless you're going back to manually verify  
keys after you've accepted them or otherwise mucking about in the file  
outside of the ssh tools* it's probably something you want to leave  
enabled to enhance privacy.

*It's worth noting that host key error message now include line  
numbers to make tasks like deleting a bad key easy even without  
readable hostnames.

--

      HashKnownHosts
              Indicates that ssh(1) should hash host names and  
addresses when they are added to ~/.ssh/known_hosts.
              These hashed names may be used normally by ssh(1) and  
sshd(8), but they do not reveal identifying infor-
              mation should the file's contents be disclosed.  The  
default is ``no''.  Note that existing names and
              addresses in known hosts files will not be converted  
automatically, but may be manually hashed using
              ssh-keygen(1).

--

Also note that ssh-keygen has some new modes to let you search for  
things in the hashed file and convert old files:

      -F hostname
              Search for the specified hostname in a known_hosts file,  
listing any occurrences found.  This option is
              useful to find hashed host names or addresses and may  
also be used in conjunction with the -H option to
              print found keys in a hashed format.

      -H      Hash a known_hosts file.  This replaces all hostnames  
and addresses with hashed representations within
              the specified file; the original content is moved to a  
file with a .old suffix.  These hashes may be used
              normally by ssh and sshd, but they do not reveal  
identifying information should the file's contents be
              disclosed.  This option will not modify existing hashed  
hostnames and is therefore safe to use on files
              that mix hashed and non-hashed names.

      -R hostname
              Removes all keys belonging to hostname from a  
known_hosts file.  This option is useful to delete hashed
              hosts (see the -H option above).

Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20081111/3ba9360b/smime.bin