Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 92913

Summary: default /etc/ssh/ssh_config should include option HashKnownHosts for known_hosts
Product: Gentoo Linux Reporter: Brian G. Peterson <brian>
Component: Current packagesAssignee: Daniel Ahlberg (RETIRED) <aliz>
Status: RESOLVED WONTFIX    
Severity: normal CC: christoph.gysin, security, vapier
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Brian G. Peterson 2005-05-17 06:31:40 UTC 
default /etc/ssh/ssh_config should include option HashKnownHosts for known_hosts

Many recent press reports have commented on the MIT study that analyzed the
vulnerability of networks to worms using ssh to navigate across a network.

The MIT paper is here:
http://nms.csail.mit.edu/projects/ssh/sshworm.pdf
And Bruce Schneier's commentary on the paper is here:
http://www.schneier.com/blog/archives/2005/05/the_potential_f.html

The solution to this vulnerability exists in the current version of OpenSSH, and
is controlled by the HashKnownHosts config option.  The man page for ssh_config
has this to say:

     HashKnownHosts
        Indicates that ssh should hash host names and addresses when they
        are added to $HOME/.ssh/known_hosts.  These hashed names may be
        used normally by ssh and sshd, but they do not reveal identifying
        information should the file's contents be disclosed.  The default
        is ``no''.  Note that hashing of names and addresses will not be
        retrospectively applied to existing known hosts files, but these
        may be manually hashed using ssh-keygen(1).

This option should be set to 'yes' in the default Gentoo configuration for
/etc/ssh/ssh_config

HashKnownHosts=yes



Reproducible: Always
Steps to Reproduce:
1. look at your known_hosts file
2. write worm to scan plain-text known_hosts files on a compromised machine
3. run rampant across a network
Comment 1 SpanKY gentoo-dev 2005-05-17 15:31:11 UTC 
not a 'real' security issue
Comment 2 SpanKY gentoo-dev 2005-05-17 15:41:35 UTC 
our default ssh_config doesnt turn on any options ... but we could easily change
that

any other settings to suggest defaults for ?
Comment 3 Brian G. Peterson 2005-05-17 15:49:00 UTC 
The defaults are fine for me except for this hash setting.  

As the MIT paper and Bruce Schneier's article point out, using a Hash is a
simple effective security measure that should probably be on by default.

Hopefully someone with commit access can make and test this one-line change to
the /etc/ssh/ssh_config file.
Comment 4 solar (RETIRED) gentoo-dev 2005-05-19 08:20:19 UTC 
This breaks bash-completion among other things that depend on the 
existing behavior. Turn on hashing and in due time the worms out there
will adapt including a their own hashing algorithms, looking at open 
sockets, .history files and many other tricks to obtain peers.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 10:13:38 UTC 
Turning the option on doesn't make you less vulnerable, it just make it a
/little/ more difficult for the worm to compute targets. So what ? They will
rely on dumber (brutescans) or smarter (bash_history, traffic analysis, delayed
propagation) methods to find the next target. On the other hand, it breaks
existing functionality (bash completion), and make us derive from upstream
default configuration (which is what people expect to find). I don't think it's
worth it.

If it goes on by default in OpenSSH, then we'll keep it. Or if our OpenSSH
maintainers want it... but the security team won't pressure them to.
Comment 6 SpanKY gentoo-dev 2005-05-21 11:40:44 UTC 
good thoughts, thanks