Image of the glider from the Game of Life by John Conway
Skip to content
{ 2010 12 04 }

SSH Known Hosts Fingerprints and Hostnames

i just came across this today, so I thought I'd share. It's been more than a month since my last post (which is really out of my element), so I'm definitely due. However, I make no promises about making more frequent posts in the future.

Today, someone came into the #unix channel on Freenode asking how they could extract the fingerprints out of the hosts in their ~/.ssh/known_hosts file. I didn't know, so I dug through the man page for ssh-keygen, and found this:

     -f filename
             Specifies the filename of the key file.

     -l      Show fingerprint of specified public key file.  Private RSA1 keys
             are also supported.  For RSA and DSA keys ssh-keygen tries to find
             the matching public key file and prints its fingerprint.  If
             combined with -v, an ASCII art representation of the key is
             supplied with the fingerprint.

So, I ran "ssh-keygen -lf ~/.ssh/known_hosts", and this was the output (truncated to 13 out of 305 hosts):

2048 0e:2f:c4:3f:11:86:45:5d:4a:f8:a7:a6:c6:bb:04:f4 |1|qE2muY+C6GhzdVv20z6rGNbL6TY=|okzJFiBkpOMm2u33ygisBgO63bs= (RSA)
2048 0e:2f:c4:3f:11:86:45:5d:4a:f8:a7:a6:c6:bb:04:f4 |1|Pt2nF/mO8PWNVFT7fBgGxkCfFz8=|3mM7fAOVUvfB0tuEeO5bzwRdO20= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|UHlVwxTRMPhsWM2rg/sXCjzDWug=|ArerYuge2W4NoljJ5fvgzf1wmpg= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|j0L5rCKoIbyz13t+7Zsu57y4jLs=|fHcylAV+0zqMKs8MriIX8i5S8bM= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|3HP8wfop73R6VYXOAxMKwCnlU6Y=|05lCXAbLrac4XSocPhI4oJaa7J0= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|INI05isdfVGnWY4H47j/FFL7OPI=|4zFlfNYfFe+kYsqupGzOjhcyzFM= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|WTZzXsWERX2BEXHuvjgJPlUF+T0=|ohrpuqni56UYtV0kCvcVJLhf9ug= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|fwCYfyN1k/+Hf0Jnt8LuHhxNgG4=|B7PLeP2YbjuglkxCAt2fr+A7Z3s= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|KcZCPAkZgxvm0rE1drgzT4KhBnk=|AyFmNCZvvH7yaEtqgLRV8z7ahlQ= (RSA)
2048 f3:2b:74:4f:c6:58:cc:ba:c0:d9:94:e9:9f:75:22:7a |1|oyLpDFv8/DmOYh3M9qeIT+K4ChU=|v5+ejn7XzhbWR6Cjj7YUr1v1pTI= (RSA)
2048 e7:13:81:0a:e0:9f:95:d5:ed:d3:86:93:da:5f:4b:ca |1|CLxr/50w6rVc3LC7vO6bNRbfKIE=|FopfmJdGm3pcxxlV31tvF4MP6pU= (RSA)
2048 e7:13:81:0a:e0:9f:95:d5:ed:d3:86:93:da:5f:4b:ca |1|FUWVoBHcJdztemRCRN+lJB9/9JE=|ePT0hoPdZsaN7SLtJgyiNHa0V1I= (RSA)
2048 6c:00:05:12:94:7e:6a:3f:96:8b:78:9d:1f:89:3c:7a |1|eCK/la051b7TQVyJo8+LHu3iVpU=|a92e1TT8q7kykBaF5DZXNKieTXs= (RSA)

Cool, except how do I know which key belongs to which host? Well, apparantly Debian GNU/Linux (and likely Ubuntu) hashes the hostname and/or IP address before adding it to the known_hosts file. Of course, because it's hashed, there isn't an inverse function to get the hostname and/or IP address back, so you would have to remove those entries, and reconnect to your hosts if you wanted to see them.

Why are they hashed, I wondered? It didn't take long for me to realize that your known_hosts file might be accessible to everyone on the system. Because they too could run "ssh-keygen -lf known_hosts", they could see what hosts/IPs you've connected to, and use that against you. So, it makes sense to hash that information, if you really don't need it.

I have 305 hosts in my personal known_host file, and I noticed a lot of IP addresses and hostnames in the file. Then I realized these all came from RHEL 5. So, why is Debian GNU/Linux hashing the hostname/IP, but RHEL is not? Check out your "/etc/ssh/ssh_config" file. On Debian, you will see the last four lines as something similar to:

    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

Notice the "HashKnowHosts yes" option? Yup, that's your culprit. Check on RHEL and Fedora, it's not even listed in the file. Of course, you can override this behavior by placing the configuration option in your "~/.ssh/config" file. Also, if you're on a Fedora-based operating system, and you want to hash your hosts, you can make the change rather easy. According to the ssh-keygen man page:

     −H      Hash a known_hosts file.  This replaces all hostnames and
             addresses with hashed representations within the specified file;
             the original content is moved to a file with a .old suffix.  These
             hashes may be used normally by ssh and sshd, but they do not
             reveal identifying information should the file's contents be
             disclosed.  This option will not modify existing hashed hostnames
             and is therefore safe to use on files that mix hashed and
             non-hashed names.

So, pull up your terminal, and type:

ssh-keygen -H && rm ~/.ssh/known_hosts.old

This will hash all the hosts as well as rename the known_hosts file to "known_hosts.old". Of course, remove that file to prevent people from getting access to the hosts you connect to after making the change.

Hope this is helpful to someone somewhere.

Posted by Aaron Toponce on Saturday, December 4, 2010, at 10:15 pm. Filed under Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. For IM, Email or Microblogs, here is the Shortlink.

{ 7 } Comments