I have some servers with yes, some other with no here (I only discovered this option today).
The advantages of HashKnownHosts no are that I can maintain the known_hosts file more easily.
What are the factual advantages of using HashKnownHosts yes ?
asked Feb 10, 2011 at 14:05
Add a comment
|
2 Answers
The known_hosts file represents a small security risk. It contains a convenient list of all servers to which you connect. An attacker who gained access to your password or unencrypted private key would simply need to iterate down the list until your credentials were accepted. Hashing resolves this or at least obfuscates the list.
-
10This answer seems to have been copied without attribution from vitalvector.com/blog/2009/02/ssh-tip-hash-known-hosts.html– MarteyCommented Jan 14, 2012 at 13:29
With a cleartext known_hosts, attackers would easily know which servers you connect to. There is an article and an MIT paper about a potential ssh worm making use of a readable known_hosts. Of course usually there are other, yet more cumbersome ways to determine your daily ssh logins, such as your shell history, that an attacker could use.
Note that you can still work with your hashed known_hosts using the ssh-keygen utility program:
ssh-keygen -F myhost # shows myhosts's line in the known_hosts file
ssh-keygen -l -F myhost # additionally shows myhost's fingerprint
ssh-keygen -R myhost # remove myhost's line from known_hosts
This, especially the last command, should be sufficient for 99% of cases users really need to access known_hosts. You will lose ssh host tab completion though, of course.
Also note that the command line options to ssh-keygen are case sensitive
There's also a relevant question at unix.SE.
-
1The other side of this is you can't tell what you have in the list by just looking at it. For example, if you had it piling up over the years, you might not even remember all the hosts that could have been there, so the
ssh-keygencommands would not be of use as they assume you know the host.– AsuCommented Jun 20, 2023 at 17:25