OpenSSH 3.9 not hashing known_hosts

Colin Watson cjwatson at ubuntu.com
Fri May 20 17:58:57 UTC 2005


On Fri, May 20, 2005 at 10:19:10AM -0700, Lee Colleton wrote:
> I read in Bruce Schneier's excellent security [0]bulletin about the
> potential for "Address Harvesting " from the known_hosts file.  There
> is a more detailed review of the problem along with some tools and
> recommendations posted at [1]MIT.
> 
> Openssh 3.9 as packaged with Hoary does not allow hashing of the
> known_hosts file AFAIK.  OpenSSH 4.0 incorporates the capability but
> it is turned off by default.  Will the Ubuntu project support and
> document this change to SSH?  What's the plan?

I just need to find a bit of time to finish the packaging of OpenSSH
4.0. I'm inclined to turn on known_hosts hashing, but I'm made a little
cautious by upstream not enabling it by default yet, so I imagine I'll
experiment and see how well it works. Failing that, it seems likely to
me that the facility will be improved upstream and eventually made the
default anyway.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]




More information about the ubuntu-users mailing list