OpenSSH 3.9 not hashing known_hosts
Colin Watson
cjwatson at ubuntu.com
Fri May 20 17:58:57 UTC 2005
On Fri, May 20, 2005 at 10:19:10AM -0700, Lee Colleton wrote:
> I read in Bruce Schneier's excellent security [0]bulletin about the
> potential for "Address Harvesting " from the known_hosts file. There
> is a more detailed review of the problem along with some tools and
> recommendations posted at [1]MIT.
>
> Openssh 3.9 as packaged with Hoary does not allow hashing of the
> known_hosts file AFAIK. OpenSSH 4.0 incorporates the capability but
> it is turned off by default. Will the Ubuntu project support and
> document this change to SSH? What's the plan?
I just need to find a bit of time to finish the packaging of OpenSSH
4.0. I'm inclined to turn on known_hosts hashing, but I'm made a little
cautious by upstream not enabling it by default yet, so I imagine I'll
experiment and see how well it works. Failing that, it seems likely to
me that the facility will be improved upstream and eventually made the
default anyway.
Cheers,
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list