Comments on: SSH Known Hosts Fingerprints and Hostnames

By: cdmiller

cdmiller — Wed, 07 Mar 2012 20:26:31 +0000

Thanks. I was looking for the fingerprint of my own machine, now I realize that I can get it with:
ssh-keygen -l -f .ssh/id_rsa.pub

By: Links 8/12/2010: Google Linux Announcement, Linux 2.6.37 RC5, PlayStation Phone to Use Linux | Techrights

Wed, 08 Dec 2010 13:18:28 +0000

[...] SSH Known Hosts Fingerprints and Hostnames [...]

By: Aaron

Aaron — Mon, 06 Dec 2010 01:56:09 +0000

@Alex- “ssh-keygen -H’ already renames the file. The point of removing it, is so you don’t leave anything behind that could compromised.

By: Alex

Alex — Sun, 05 Dec 2010 21:44:43 +0000

Umm…I’m pretty sure that “ssh-keygen -H && rm ~/.ssh/known_hosts.old” (taken as a whole) will not have the effect of renaming known_hosts to known_hosts.old.

By: Sven

Sven — Sun, 05 Dec 2010 16:13:14 +0000

Hashing the hostnames in known_hosts has one drawback (at least for me): tab-completion the hostname while using scp, sftp and ssh does no longer work.

By: Aaron

Aaron — Sun, 05 Dec 2010 15:10:59 +0000

@Kevin- Very good. Thank you!

@jimcooncat- I was trying to be nice about it, however Fedora-based operating systems should be hashing the hosts, rather than leaving them in plain text. Debian (and as a result Ubuntu) are doing the right thing here. Yes, you could have your home directory with permissions “drwx——” if you wanted, and I understand that thinking, especially on multiuser environments. I prefer the hashing mechanism, especially after learning “ssh-keygen -lf ~/.ssh/known_hosts -F hostname”.

By: jimcooncat

jimcooncat — Sun, 05 Dec 2010 10:20:43 +0000

“It didn’t take long for me to realize that your known_hosts file might be accessible to everyone on the system.”
On my Ubuntu system, permissions for that file are -rw-r–r–

I don’t believe that the ssh package has anything to do with this, but that Ubuntu (and other distros) makes user home directories readable by other users.
http://wwww.ubuntuforums.org/showthread.php?t=1210175

So I’m guessing that because of this *stupid* default, the folks that write ssh decided it was best to hash known_hosts and make it harder to deal with?

It’s simple to pick “encrypted home directories” when installing a system, why shouldn’t it be simple to pick “private home directories”, without encryption?

Just ranting to the world, Aaron. But I hope it sparks more discussion on this issue. Programs shouldn’t have to be made harder to use because distros don’t care about security.

By: Kevin

Kevin — Sun, 05 Dec 2010 07:12:19 +0000

if you do

ssh-keygen -lf ~/.ssh/known_hosts -F hostname

it will only list ones that match the hostname. This work even when the hostnames are hashed.

By: Tweets that mention Aaron Toponce : SSH Known Hosts Fingerprints and Hostnames -- Topsy.com

Sun, 05 Dec 2010 06:00:20 +0000

[...] This post was mentioned on Twitter by toorghezi, Ubuntu World Wide. Ubuntu World Wide said: #ubuntu #linux Aaron Toponce: SSH Known Hosts Fingerprints and Hostnames: i just came across this today, so I th… http://bit.ly/eBsPDJ [...]