i just came across this today, so I thought I’d share. It’s been more than a month since my last post (which is really out of my element), so I’m definitely due. However, I make no promises about making more frequent posts in the future.
Today, someone came into the #unix channel on Freenode asking how they could extract the fingerprints out of the hosts in their ~/.ssh/known_hosts file. I didn’t know, so I dug through the man page for ssh-keygen, and found this:
-f filename Specifies the filename of the key file. -l Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint. If combined with -v, an ASCII art representation of the key is supplied with the fingerprint.
So, I ran “ssh-keygen -lf ~/.ssh/known_hosts”, and this was the output (truncated to 13 out of 305 hosts):
2048 0e:2f:c4:3f:11:86:45:5d:4a:f8:a7:a6:c6:bb:04:f4 |1|qE2muY+C6GhzdVv20z6rGNbL6TY=|okzJFiBkpOMm2u33ygisBgO63bs= (RSA) 2048 0e:2f:c4:3f:11:86:45:5d:4a:f8:a7:a6:c6:bb:04:f4 |1|Pt2nF/mO8PWNVFT7fBgGxkCfFz8=|3mM7fAOVUvfB0tuEeO5bzwRdO20= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|UHlVwxTRMPhsWM2rg/sXCjzDWug=|ArerYuge2W4NoljJ5fvgzf1wmpg= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|j0L5rCKoIbyz13t+7Zsu57y4jLs=|fHcylAV+0zqMKs8MriIX8i5S8bM= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|3HP8wfop73R6VYXOAxMKwCnlU6Y=|05lCXAbLrac4XSocPhI4oJaa7J0= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|INI05isdfVGnWY4H47j/FFL7OPI=|4zFlfNYfFe+kYsqupGzOjhcyzFM= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|WTZzXsWERX2BEXHuvjgJPlUF+T0=|ohrpuqni56UYtV0kCvcVJLhf9ug= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|fwCYfyN1k/+Hf0Jnt8LuHhxNgG4=|B7PLeP2YbjuglkxCAt2fr+A7Z3s= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|KcZCPAkZgxvm0rE1drgzT4KhBnk=|AyFmNCZvvH7yaEtqgLRV8z7ahlQ= (RSA) 2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|oyLpDFv8/DmOYh3M9qeIT+K4ChU=|v5+ejn7XzhbWR6Cjj7YUr1v1pTI= (RSA) 2048 e7:13:81:0a:e0:9f:95:d5:ed:d3:86:93:da:5f:4b:ca |1|CLxr/50w6rVc3LC7vO6bNRbfKIE=|FopfmJdGm3pcxxlV31tvF4MP6pU= (RSA) 2048 e7:13:81:0a:e0:9f:95:d5:ed:d3:86:93:da:5f:4b:ca |1|FUWVoBHcJdztemRCRN+lJB9/9JE=|ePT0hoPdZsaN7SLtJgyiNHa0V1I= (RSA) 2048 6c:00:05:12:94:7e:6a:3f:96:8b:78:9d:1f:89:3c:7a |1|eCK/la051b7TQVyJo8+LHu3iVpU=|a92e1TT8q7kykBaF5DZXNKieTXs= (RSA)
Cool, except how do I know which key belongs to which host? Well, apparantly Debian GNU/Linux (and likely Ubuntu) hashes the hostname and/or IP address before adding it to the known_hosts file. Of course, because it’s hashed, there isn’t an inverse function to get the hostname and/or IP address back, so you would have to remove those entries, and reconnect to your hosts if you wanted to see them.
Why are they hashed, I wondered? It didn’t take long for me to realize that your known_hosts file might be accessible to everyone on the system. Because they too could run “ssh-keygen -lf known_hosts”, they could see what hosts/IPs you’ve connected to, and use that against you. So, it makes sense to hash that information, if you really don’t need it.
I have 305 hosts in my personal known_host file, and I noticed a lot of IP addresses and hostnames in the file. Then I realized these all came from RHEL 5. So, why is Debian GNU/Linux hashing the hostname/IP, but RHEL is not? Check out your “/etc/ssh/ssh_config” file. On Debian, you will see the last four lines as something similar to:
SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no
Notice the “HashKnowHosts yes” option? Yup, that’s your culprit. Check on RHEL and Fedora, it’s not even listed in the file. Of course, you can override this behavior by placing the configuration option in your “~/.ssh/config” file. Also, if you’re on a Fedora-based operating system, and you want to hash your hosts, you can make the change rather easy. According to the ssh-keygen man page:
−H Hash a known_hosts file. This replaces all hostnames and addresses with hashed representations within the specified file; the original content is moved to a file with a .old suffix. These hashes may be used normally by ssh and sshd, but they do not reveal identifying information should the file's contents be disclosed. This option will not modify existing hashed hostnames and is therefore safe to use on files that mix hashed and non-hashed names.
So, pull up your terminal, and type:
ssh-keygen -H && rm ~/.ssh/known_hosts.old
This will hash all the hosts as well as rename the known_hosts file to “known_hosts.old”. Of course, remove that file to prevent people from getting access to the hosts you connect to after making the change.
Hope this is helpful to someone somewhere.