Thomas Bächler wrote:
I didn't find out about this change until much later - and it pissed me
off. For no apparent reason, we changed the default configuration of
openssh at one point and now I have an obfuscated known_hosts file.
I agree - it would have been better for there to have been a bit more
noise made about this change. If it was reported anywhere I must have
missed it.
I
don't see any security impact in having the hosts unhashed.
Apparently there was a paper published by MIT researchers a couple of
years back that described how an attacker could use the SSH known_hosts
file to propagate a worm:
http://lwn.net/Articles/135506/
In theory it makes sense, but I'm wondering how feasible a threat it is
in practice.
DR
