[nycbug-talk] Analyzing malicious SSH login attempts

Ray Lai nycbug at cyth.net
Thu Sep 14 15:43:24 EDT 2006


On Thu, Sep 14, 2006 at 07:48:41AM -0400, George Georgalis wrote:
> On Wed, Sep 13, 2006 at 10:37:17AM -0400, Okan Demirmen wrote:
> >On Tue 2006.09.12 at 13:24 -0400, George Georgalis wrote:
> >> There was some resolution (at openbsd I think) to encrypt
> >> the known_hosts entries with the remote host public key;
> >> so if your authentication was compromised, at least there
> >> wouldn't be a list a hosts for the attacker to look up.
> >> But I've not seen it in my OS yet.
> >
> >man ssh_config - see HashKnownHosts
> 
> nice, looks like it is in my upgrade path.
> 
> has there been any discussion of hashing .ssh/config?
> maybe requiring a private key and passphrase/agent?

Hashing the known_hosts file allows you to keep your list of accessible
hosts hidden, but still accessible if you already know the hostname.
This prevents ssh worms from connecting to your machine, grabbing the
list of hosts that you have connected to, and connecting to those hosts
using any passphrase-less keys you have set up.

I don't see the point of hashing your config, unless you really mean
encrypting your config, to which I respond: don't specify any hosts in
your config!

-Ray-



More information about the talk mailing list