On Tuesday 17 May 2005 07:44 am, Brian G. Peterson wrote: > On Monday 16 May 2005 08:42 pm, Maurice Butler (Like Magic) wrote: > > SSH HOLE PUTTING BIG BUSINESS AT RISK > > > > known_hosts file could tell a worm where to travel next > > > > http://s0.tx.co.nz/at/tep34i74214a4j37267s4c1682099t9f2n841263z > > As Mike so succinctly points out, it *is* a feature, and a very important > one. > > *However* > SSH version 4 and higher contain an option to hash the known_hosts > database. Here's what the ssh config documentation has to say about this: > > HashKnownHosts > Indicates that ssh should hash host names and addresses when > they are added to $HOME/.ssh/known_hosts. These hashed names may be used > normally by ssh and sshd, but they do not reveal identifying information > should the file's contents be disclosed. The default is ``no''. Note that > hashing of names and addresses will not be retrospectively applied to > existing known hosts files, but these may be manually hashed using > ssh-keygen(1). > > So, when you get a moment, I'd search Gentoo's bugzilla and put in a bug if > one doesn't already exist suggesting that the default Gentoo configuration > of openssh should hash the known hosts file.
I've done it for you: http://bugs.gentoo.org/show_bug.cgi?id=92913 Regards, - Brian -- [email protected] mailing list
