Feature #14995: Hash ~/.ssh/known_hosts by default

Feature #14995

Hash ~/.ssh/known_hosts by default

Added by tailshark 2017-11-20 10:43:11 . Updated 2018-01-09 20:52:21 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_3.4

Start date:

2017-11-20

Due date:

% Done:

100%

Feature Branch:

bugfix/14995-hash-ssh-known-hosts

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Hi!

I’ve been doing a lot of work over ssh and recently noticed the known_hosts file (which I backup to KeePass) uses the plain text IP entries with associated fingerprints. I do have a concern about a browser bug or creeping exploit (that sneaks around AppArmor somehow) lifting the file and exposing all my server IPs in one hit. Even a “hot laptop theft” could expose them all.

I hashed the file manually for storage with:

ssh-keygen -H -f ~/.ssh/known_hosts

And I’ve added a config file to the ~/.ssh folder as follows:

mkdir -p ~/.ssh
echo "HashKnownHosts yes" > ~/.ssh/config
chmod 400 ~/.ssh/config

Automatic hashing works as expected.

Should this be a default setting?

I don’t see any downside risks to it being a default.

Thanks for everything you guys do btw. I know things can be wrestlemania with practical implementation.

Subtasks

History

#1 Updated by mercedes508 2017-11-25 17:57:54

Assignee set to intrigeri

Letting some devs discuss it further, as I can’t judge of the consequences as a simple help deskmember :)

#2 Updated by intrigeri 2017-11-27 11:32:15

Description updated

#3 Updated by intrigeri 2017-11-27 11:37:45

Status changed from New to Confirmed
Target version set to Tails_3.5
Type of work changed from Discuss to Code

Debian enables HashKnownHosts by default via /etc/ssh/ssh_config… but we replace this file with our own, hence reverting to the default upstream setting that’s HashKnownHosts no. I’ll fix that.

The drawback of enabling HashKnownHosts is about usability: IIRC it breaks ssh <TAB> completion. Outside of Tails arguably it does not matter much as one can use their shell history instead… but in Tails we have no shell history. Anyway, the kind of users who rely on such things can very well add sections about the hosts they frequently connect to to ~/.ssh/config and then I think bash will get the completion right (at least zsh does).

#4 Updated by intrigeri 2017-11-29 08:41:12

Status changed from Confirmed to In Progress
% Done changed from 0 to 10
Feature Branch set to bugfix/14995-hash-ssh-known-hosts

#5 Updated by intrigeri 2017-11-29 09:56:33

Assignee changed from intrigeri to anonym
% Done changed from 10 to 50
QA Check set to Ready for QA

#6 Updated by anonym 2017-12-04 14:33:36

Status changed from In Progress to Fix committed
Assignee deleted (~~anonym~~)
% Done changed from 50 to 100
QA Check changed from Ready for QA to Pass

Good luck to all Tails users that now will have to learn the rather ssh-keygen -F! :)

#7 Updated by intrigeri 2018-01-04 18:26:38

Target version changed from Tails_3.5 to Tails_3.4

#8 Updated by anonym 2018-01-09 20:52:21

Status changed from Fix committed to Resolved