Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 92913 - default /etc/ssh/ssh_config should include option HashKnownHosts for known_hosts
Summary: default /etc/ssh/ssh_config should include option HashKnownHosts for known_hosts
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Daniel Ahlberg (RETIRED)
Depends on:
Reported: 2005-05-17 06:31 UTC by Brian G. Peterson
Modified: 2005-05-21 11:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Brian G. Peterson 2005-05-17 06:31:40 UTC
default /etc/ssh/ssh_config should include option HashKnownHosts for known_hosts

Many recent press reports have commented on the MIT study that analyzed the
vulnerability of networks to worms using ssh to navigate across a network.

The MIT paper is here:
And Bruce Schneier's commentary on the paper is here:

The solution to this vulnerability exists in the current version of OpenSSH, and
is controlled by the HashKnownHosts config option.  The man page for ssh_config
has this to say:

        Indicates that ssh should hash host names and addresses when they
        are added to $HOME/.ssh/known_hosts.  These hashed names may be
        used normally by ssh and sshd, but they do not reveal identifying
        information should the file's contents be disclosed.  The default
        is ``no''.  Note that hashing of names and addresses will not be
        retrospectively applied to existing known hosts files, but these
        may be manually hashed using ssh-keygen(1).

This option should be set to 'yes' in the default Gentoo configuration for


Reproducible: Always
Steps to Reproduce:
1. look at your known_hosts file
2. write worm to scan plain-text known_hosts files on a compromised machine
3. run rampant across a network
Comment 1 SpanKY gentoo-dev 2005-05-17 15:31:11 UTC
not a 'real' security issue
Comment 2 SpanKY gentoo-dev 2005-05-17 15:41:35 UTC
our default ssh_config doesnt turn on any options ... but we could easily change

any other settings to suggest defaults for ?
Comment 3 Brian G. Peterson 2005-05-17 15:49:00 UTC
The defaults are fine for me except for this hash setting.  

As the MIT paper and Bruce Schneier's article point out, using a Hash is a
simple effective security measure that should probably be on by default.

Hopefully someone with commit access can make and test this one-line change to
the /etc/ssh/ssh_config file.
Comment 4 solar (RETIRED) gentoo-dev 2005-05-19 08:20:19 UTC
This breaks bash-completion among other things that depend on the 
existing behavior. Turn on hashing and in due time the worms out there
will adapt including a their own hashing algorithms, looking at open 
sockets, .history files and many other tricks to obtain peers.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 10:13:38 UTC
Turning the option on doesn't make you less vulnerable, it just make it a
/little/ more difficult for the worm to compute targets. So what ? They will
rely on dumber (brutescans) or smarter (bash_history, traffic analysis, delayed
propagation) methods to find the next target. On the other hand, it breaks
existing functionality (bash completion), and make us derive from upstream
default configuration (which is what people expect to find). I don't think it's
worth it.

If it goes on by default in OpenSSH, then we'll keep it. Or if our OpenSSH
maintainers want it... but the security team won't pressure them to.
Comment 6 SpanKY gentoo-dev 2005-05-21 11:40:44 UTC
good thoughts, thanks