Feature #14995
Hash ~/.ssh/known_hosts by default
100%
Description
Hi!
I’ve been doing a lot of work over ssh and recently noticed the known_hosts file (which I backup to KeePass) uses the plain text IP entries with associated fingerprints. I do have a concern about a browser bug or creeping exploit (that sneaks around AppArmor somehow) lifting the file and exposing all my server IPs in one hit. Even a “hot laptop theft” could expose them all.
I hashed the file manually for storage with:
ssh-keygen -H -f ~/.ssh/known_hosts
And I’ve added a config file to the ~/.ssh folder as follows:
mkdir -p ~/.ssh
echo "HashKnownHosts yes" > ~/.ssh/config
chmod 400 ~/.ssh/config
Automatic hashing works as expected.
Should this be a default setting?
I don’t see any downside risks to it being a default.
Thanks for everything you guys do btw. I know things can be wrestlemania with practical implementation.
Subtasks
History
#1 Updated by mercedes508 2017-11-25 17:57:54
- Assignee set to intrigeri
Letting some devs discuss it further, as I can’t judge of the consequences as a simple help deskmember :)
#2 Updated by intrigeri 2017-11-27 11:32:15
- Description updated
#3 Updated by intrigeri 2017-11-27 11:37:45
- Status changed from New to Confirmed
- Target version set to Tails_3.5
- Type of work changed from Discuss to Code
Debian enables HashKnownHosts
by default via /etc/ssh/ssh_config
… but we replace this file with our own, hence reverting to the default upstream setting that’s HashKnownHosts no
. I’ll fix that.
The drawback of enabling HashKnownHosts
is about usability: IIRC it breaks ssh <TAB>
completion. Outside of Tails arguably it does not matter much as one can use their shell history instead… but in Tails we have no shell history. Anyway, the kind of users who rely on such things can very well add sections about the hosts they frequently connect to to ~/.ssh/config
and then I think bash will get the completion right (at least zsh does).
#4 Updated by intrigeri 2017-11-29 08:41:12
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to bugfix/14995-hash-ssh-known-hosts
#5 Updated by intrigeri 2017-11-29 09:56:33
- Assignee changed from intrigeri to anonym
- % Done changed from 10 to 50
- QA Check set to Ready for QA
#6 Updated by anonym 2017-12-04 14:33:36
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
Good luck to all Tails users that now will have to learn the rather ssh-keygen -F
! :)
#7 Updated by intrigeri 2018-01-04 18:26:38
- Target version changed from Tails_3.5 to Tails_3.4
#8 Updated by anonym 2018-01-09 20:52:21
- Status changed from Fix committed to Resolved