There is a cluster of machines which I have an account on which was
recently compromised. the machines have thousands of users and the only
access is via ssh.
via some mechanism (probably a weak password) the attacker was able to
compromise a single account and use a local-root exploit to hijack lots
of ssh-agents and any unpassword protected keys. they next tried to
repeat the process for every machine in the 'known_hosts' file for each
compromised account.
of course, all this was automated and they quickly built a nice spanning
tree of cracked machines. (fortunately, I was paranoid enough to avoid
being hit, but many others weren't).
I was thinking that it would be a useful option to store a hash of the
host/ip in known_hosts rather than the host/ip in plaintext so that
there is not an immediate list of candidate machines to crack once an
account is compromised. in the case of possible key-compromise, anything
that slows down the attack long enough for you to hear about it and
re-key is a good thing. Plus, as a privacy thing, one might not want a
list of the machines they connect to so obviously logged.
One might argue that this is security via obscurity, but a list of other
machines you connect to and probably use the same ssh key or password on
is real and very useful information to a cracker, and the idea is to
slow down an automated attack long enough to avoid logging into the
affected machine and rekey your other accounts before they find you.
It should be an option, since some people use their known_hosts as a
source of information for things like zsh completion, but for the
extra-paranoid or privacy conscious I think it would be a very practical
and simple change.
please respond to both me and the list as I am not subscribed.
John
--
---------------------------------------------------------------------------
John Meacham - California Institute of Technology, Alum. - john at foo.net
---------------------------------------------------------------------------