[opensuse-factory] OpenSSH hostkey related changes
Hi, Just a quick heads up from your security team... I did some adjustments to hostkey handling. First, we now display a "visual" fingerprint of the hostkey. This is to have better visual queues on whether hosts known to you changed or not (there will still be an actual compare in the background and a big fat warning). An example looks like: RSA key fingerprint is a3:8e:5f:e9:5a:b9:cf:1a:07:2d:ca:75:52:b1:6d:b0. +--[ RSA 1024]----+ | o | | * | | E o | | o . | | S o | | . + O | | + * . | | o + = | | ..+.+oo | +-----------------+ Are you sure you want to continue connecting (yes/no)? Secondly, we have switched the .ssh/known_hosts file to "hashed hostkeys". This means, the known_hosts file no longer lists the hosts or ip numbers in readable form, but in hashed form. This change is to avoid that worms, if they ever infect your account, to use this file to find out "known hosts" to which to try to login next and so try to stop a worm infection of e.g. your servers. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 4/6/2010 at 09:29 PM, Marcus Meissner <meissner@suse.de> wrote:
Secondly, we have switched the .ssh/known_hosts file to "hashed hostkeys". This means, the known_hosts file no longer lists the hosts or ip numbers in readable form, but in hashed form.
So how to delete only an entry, say if a machines key has changed?
This change is to avoid that worms, if they ever infect your account, to use this file to find out "known hosts" to which to try to login next and so try to stop a worm infection of e.g. your servers.
Thanks Nikanth -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Nikanth Karthikesan wrote:
On 4/6/2010 at 09:29 PM, Marcus Meissner <meissner@suse.de> wrote:
Secondly, we have switched the .ssh/known_hosts file to "hashed hostkeys". This means, the known_hosts file no longer lists the hosts or ip numbers in readable form, but in hashed form.
So how to delete only an entry, say if a machines key has changed?
ssh prints the line number of the offending key if there's a mismatch cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
From ssh-keygen:
-R hostname Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts (see the -H option above). Regards. On Wed, Apr 7, 2010 at 5:03 AM, Nikanth Karthikesan <knikanth@novell.com> wrote:
On 4/6/2010 at 09:29 PM, Marcus Meissner <meissner@suse.de> wrote:
Secondly, we have switched the .ssh/known_hosts file to "hashed hostkeys". This means, the known_hosts file no longer lists the hosts or ip numbers in readable form, but in hashed form.
So how to delete only an entry, say if a machines key has changed?
This change is to avoid that worms, if they ever infect your account, to use this file to find out "known hosts" to which to try to login next and so try to stop a worm infection of e.g. your servers.
Thanks Nikanth
-- [ ]'s Aledr - Alexandre "OpenSource Solutions for SmallBusiness Problems" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (4)
-
aledr -
Ludwig Nussel -
Marcus Meissner -
Nikanth Karthikesan