Comments on: SSH Known Hosts Fingerprints and Hostnames https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/ Linux. GNU. Freedom. Sun, 13 May 2018 18:21:35 +0000 hourly 1 https://wordpress.org/?v=5.0-alpha-43006 By: cdmiller https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-116487 Wed, 07 Mar 2012 20:26:31 +0000 http://pthree.org/?p=1627#comment-116487 Thanks. I was looking for the fingerprint of my own machine, now I realize that I can get it with:
ssh-keygen -l -f .ssh/id_rsa.pub

]]>
By: Links 8/12/2010: Google Linux Announcement, Linux 2.6.37 RC5, PlayStation Phone to Use Linux | Techrights https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111548 Wed, 08 Dec 2010 13:18:28 +0000 http://pthree.org/?p=1627#comment-111548 [...] SSH Known Hosts Fingerprints and Hostnames [...]

]]>
By: Aaron https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111544 Mon, 06 Dec 2010 01:56:09 +0000 http://pthree.org/?p=1627#comment-111544 @Alex- "ssh-keygen -H' already renames the file. The point of removing it, is so you don't leave anything behind that could compromised.

]]>
By: Alex https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111543 Sun, 05 Dec 2010 21:44:43 +0000 http://pthree.org/?p=1627#comment-111543 Umm...I'm pretty sure that "ssh-keygen -H && rm ~/.ssh/known_hosts.old" (taken as a whole) will not have the effect of renaming known_hosts to known_hosts.old.

]]>
By: Sven https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111542 Sun, 05 Dec 2010 16:13:14 +0000 http://pthree.org/?p=1627#comment-111542 Hashing the hostnames in known_hosts has one drawback (at least for me): tab-completion the hostname while using scp, sftp and ssh does no longer work.

]]>
By: Aaron https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111541 Sun, 05 Dec 2010 15:10:59 +0000 http://pthree.org/?p=1627#comment-111541 @Kevin- Very good. Thank you!

@jimcooncat- I was trying to be nice about it, however Fedora-based operating systems should be hashing the hosts, rather than leaving them in plain text. Debian (and as a result Ubuntu) are doing the right thing here. Yes, you could have your home directory with permissions "drwx------" if you wanted, and I understand that thinking, especially on multiuser environments. I prefer the hashing mechanism, especially after learning "ssh-keygen -lf ~/.ssh/known_hosts -F hostname".

]]>
By: jimcooncat https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111540 Sun, 05 Dec 2010 10:20:43 +0000 http://pthree.org/?p=1627#comment-111540 "It didn’t take long for me to realize that your known_hosts file might be accessible to everyone on the system."
On my Ubuntu system, permissions for that file are -rw-r--r--

I don't believe that the ssh package has anything to do with this, but that Ubuntu (and other distros) makes user home directories readable by other users.
http://wwww.ubuntuforums.org/showthread.php?t=1210175

So I'm guessing that because of this *stupid* default, the folks that write ssh decided it was best to hash known_hosts and make it harder to deal with?

It's simple to pick "encrypted home directories" when installing a system, why shouldn't it be simple to pick "private home directories", without encryption?

Just ranting to the world, Aaron. But I hope it sparks more discussion on this issue. Programs shouldn't have to be made harder to use because distros don't care about security.

]]>
By: Kevin https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111539 Sun, 05 Dec 2010 07:12:19 +0000 http://pthree.org/?p=1627#comment-111539 if you do

ssh-keygen -lf ~/.ssh/known_hosts -F hostname

it will only list ones that match the hostname. This work even when the hostnames are hashed.

]]>
By: Tweets that mention Aaron Toponce : SSH Known Hosts Fingerprints and Hostnames -- Topsy.com https://pthree.org/2010/12/04/ssh-known-hosts-fingerprints-and-hostnames/#comment-111538 Sun, 05 Dec 2010 06:00:20 +0000 http://pthree.org/?p=1627#comment-111538 [...] This post was mentioned on Twitter by toorghezi, Ubuntu World Wide. Ubuntu World Wide said: #ubuntu #linux Aaron Toponce: SSH Known Hosts Fingerprints and Hostnames: i just came across this today, so I th... http://bit.ly/eBsPDJ [...]

]]>