default /etc/ssh/ssh_config should include option HashKnownHosts for known_hosts Many recent press reports have commented on the MIT study that analyzed the vulnerability of networks to worms using ssh to navigate across a network. The MIT paper is here: http://nms.csail.mit.edu/projects/ssh/sshworm.pdf And Bruce Schneier's commentary on the paper is here: http://www.schneier.com/blog/archives/2005/05/the_potential_f.html The solution to this vulnerability exists in the current version of OpenSSH, and is controlled by the HashKnownHosts config option. The man page for ssh_config has this to say: HashKnownHosts Indicates that ssh should hash host names and addresses when they are added to $HOME/.ssh/known_hosts. These hashed names may be used normally by ssh and sshd, but they do not reveal identifying information should the file's contents be disclosed. The default is ``no''. Note that hashing of names and addresses will not be retrospectively applied to existing known hosts files, but these may be manually hashed using ssh-keygen(1). This option should be set to 'yes' in the default Gentoo configuration for /etc/ssh/ssh_config HashKnownHosts=yes Reproducible: Always Steps to Reproduce: 1. look at your known_hosts file 2. write worm to scan plain-text known_hosts files on a compromised machine 3. run rampant across a network
not a 'real' security issue
our default ssh_config doesnt turn on any options ... but we could easily change that any other settings to suggest defaults for ?
The defaults are fine for me except for this hash setting. As the MIT paper and Bruce Schneier's article point out, using a Hash is a simple effective security measure that should probably be on by default. Hopefully someone with commit access can make and test this one-line change to the /etc/ssh/ssh_config file.
This breaks bash-completion among other things that depend on the existing behavior. Turn on hashing and in due time the worms out there will adapt including a their own hashing algorithms, looking at open sockets, .history files and many other tricks to obtain peers.
Turning the option on doesn't make you less vulnerable, it just make it a /little/ more difficult for the worm to compute targets. So what ? They will rely on dumber (brutescans) or smarter (bash_history, traffic analysis, delayed propagation) methods to find the next target. On the other hand, it breaks existing functionality (bash completion), and make us derive from upstream default configuration (which is what people expect to find). I don't think it's worth it. If it goes on by default in OpenSSH, then we'll keep it. Or if our OpenSSH maintainers want it... but the security team won't pressure them to.
good thoughts, thanks
