Mailinglist Archive: opensuse-factory (533 mails)

< Previous Next >
[opensuse-factory] OpenSSH hostkey related changes
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Tue, 6 Apr 2010 17:59:39 +0200
  • Message-id: <20100406155939.GM9910@xxxxxxx>

Just a quick heads up from your security team...
I did some adjustments to hostkey handling.

First, we now display a "visual" fingerprint of the hostkey.
This is to have better visual queues on whether hosts known
to you changed or not (there will still be an actual compare
in the background and a big fat warning).

An example looks like:
RSA key fingerprint is a3:8e:5f:e9:5a:b9:cf:1a:07:2d:ca:75:52:b1:6d:b0.
+--[ RSA 1024]----+
| o |
| * |
| E o |
| o . |
| S o |
| . + O |
| + * . |
| o + = |
| ..+.+oo |
Are you sure you want to continue connecting (yes/no)?

Secondly, we have switched the .ssh/known_hosts file to "hashed hostkeys".
This means, the known_hosts file no longer lists the hosts or ip numbers
in readable form, but in hashed form.
This change is to avoid that worms, if they ever infect your account, to
use this file to find out "known hosts" to which to try to login next
and so try to stop a worm infection of e.g. your servers.

Ciao, Marcus
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups