bugzilla-daemon at mindrot.org
2024-Jun-24 10:40 UTC
[Bug 3703] New: HashKnownHost deprecation
https://bugzilla.mindrot.org/show_bug.cgi?id=3703 Bug ID: 3703 Summary: HashKnownHost deprecation Product: Portable OpenSSH Version: 9.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: dbelyavs at redhat.com Probable HashKnownHost deprecation was discussed in https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-January/039871.html Damien proposed the following road map back then: ======I'd prefer to remove hostname hashing. It's a pointless obscurity measure, and the most it can ever offer is protection against casual shoulder-surfing disclosure[*] I wish I never added it. I consider it the most stupid thing I've ever done to OpenSSH :( As far as what a concrete migration plan would look like, maybe something like: 1) Add an ObscureKnownHostnames option that, instead of hashing, simply base64-encodes the hostnames. This provides the same level of protection as the current option. Recommend this instead of HashKnownHosts in the manual. 2) (later) Add a deprecation warning to HashKnownHosts 3) (later still) Remove the HashKnownHosts option (or make it an alias to ObscureKnownHostnames) 4) (later again) Warn when known_hosts contains a hashed hostname 5) (finally) rip out the hostname hashing code entirely. -d -- You are receiving this mail because: You are watching the assignee of the bug.
Possibly Parallel Threads
- [Bug 1727] New: document that HashKnownHosts may break tab-completion
- HashKnownHosts vs @cert-authority
- [Bug 3632] New: ssh should suppress output in stout and stdout when calling third party binaries
- UpdateHostkeys now enabled by default
- hashing Hosts in ssh_config file